THE  VOICE  OF  IT  MANAGEMENT  -  WWW.COMPUTERWORLO.COM  AUGUST  30,  2004  .  VOL.  38  »  NO  35  »  S5/C0PY 


) 

!  App  Tests  for 

i  Win  XP  SP2 
Burden  Users 

Most  delay  installing 
XP  security  update 


•W^  v..  \ 

*  '  \  ^ 

Key  Financial  Rrms  Compare 
Notes  on  Disaster  Recovery 


BY  LUCAS  MEARIAN 

A  group  of  top  financial  ser¬ 
vices  companies  confirmed 
last  week  that  their  IT  execu¬ 
tives  have  met  to  share  cur¬ 
rent  disaster  recovery  schemes 


and  discuss  future  technology 
recovery  strategies.  And  what 
they  found  was  that  they  had 
a  lot  in  common  —  including 
headaches. 

“To  start  with,  I  found  out 


I’m  not  alone.  All  banks  are 
struggling  with  this,”  said 
Todd  Baumann,  director  of 
enterprise  business  continuity 
at  Huntington  Bancshares  Inc. 
in  Columbus,  Ohio. 

The  Technology  Recovery 
Project  involved  an  informa¬ 
tion  exchange  among  eight 
banks  (see  list,  page  14).  IBM, 
Microsoft  Corp.  and  Veritas 
Software  Corp.  also  participat¬ 
ed  in  the  project,  which  was 
organized  by  the  New  York- 
based  Financial  Services  Tech- 


p[ii;!iHii'H 

To  access  related  stories,  visit  our 
Financial  Industry  Center: 

OQuickLink  q3670 

www.computerworld.com 


nology  Consortium  and  took 
place  between  November 
2003  and  June  of  this  year. 

The  banks  and  bank  holding 
companies  looked  at  main¬ 
frame,  open  systems  and  stor- 
Disaster  Plans,  page  14 


Is  Your  Data  Safe  Offshore? 


ONLINE 

EXCLUSIVE 

Indians  face 
the  offshoring 
backlash: 

O  49105 


We  went  to  India  and  China,  the  two  hottest  offshore  out¬ 
sourcing  destinations,  to  find  out.  Our  on-location  coverage 
from  Bangalore  and  Shanghai  begins  on  page  6. 


BY  CAROL  SLIWA 

Microsoft 
Corp.’s  Service 
Pack  2  is  an  im¬ 
portant  securi¬ 
ty-focused  up¬ 
date  for  corporate  users  run¬ 
ning  Windows  XP.  But  in  the 
three  weeks  since  its  release, 
it’s  been  a  tough  pill  for  many 
to  swallow,  as  they  struggle  to 
test  tens,  hundreds  and,  in 
some  cases,  at  least  1,000  ap¬ 
plications  against  it. 

Only  two  of  32  IT  managers 
who  responded  last  week  to  a 
Computerworld  survey  con¬ 
ducted  via  e-mail  and  tele¬ 
phone  said  their  companies 
had  deployed  SP2,  and  in  both 
cases  they  did  so  as  part  of 
Microsoft  early-adopter  pro¬ 
grams.  The  majority  said 
they’re  still  testing  SP2  to 
determine  its  compatibility 
with  the  applications  their 
companies  run. 

“As  we  get  closer  to  the  holi¬ 
days,  we  don’t  make  changes 
of  this  significance  because 
we  don’t  want  to  disrupt  our 
environment  so  close  to  our 

SP2,  page  45 


Early  SP2 
adopters  got 
extra  help. 


PAGE  45 


Can  you  afford  to  change? 


The  time  has  come,  they  say,  to  transform  your  IT.  But  how? 
On  what  scale?  As  a  technology  company,  HP  creates-as 
no  financial  institution  can— opportunities  you  once  thought 
impossible,  and  lets  you  change  without  fear.  HP  consultants 
help  you  identify  the  hardware,  software  and  services  you’ll 
need.  Then  HP  Financial  Services  helps  you  finance  global 
migration  and  manage  the  technology  over  its  lifespan,  while 
minimizing  financial  risks.  Once  you  can  afford  change,  you 
might  even  embrace  it.  www.hp.com/info/hpfs 


$ 

FOR  ACH/DIRECT  DEPOSIT  ONLY.  USE  A  VOIDEO  CHECK 


i:52000  ^  W'l 


?□□  i  2  00  3iiB 


invent 


Microsoft 

Your  potential.  Our  passion. 


of  companies  rely  on  .NET  for  their 
primary  development  environment 

Get  the  report  at  microsoft.com/forrester 


OPINION 

Encryption  Must  Move  Beyond  SHA 

In  the  Technology  section:  Bruce  Schneier  says  recent 
progress  in  breaking  the  MD5  and  SHA  hash  functions 
means  it’s  time  to  find  a  new  hash  standard.  Page  28 


08.30.04 


Who  Owns  the  Web? 

In  the  Management  section: 

When  business  units  fight  for 
control  of  the  corporate  Web 
site,  the  company  loses.  Page  31 


NEWS 


SPECIAL  REPORT 


is  Your  Data 
Safe  Offshore? 

In  India,  IT  outsourcers 
are  bolstering  security  in 
response  to  demand  from 
U.S.  clients.  And  Chinese 
service  providers  are  try¬ 
ing  to  overcome  their 


country’s  reputation  as 


12  The  SEC  has  postponed  by 

one  year  a  Sarbanes-Oxley 
Act  deadline  for  swifter  filing 
of  annual  corporate  reports. 

13  U.S.  Army  payroll  systems 

have  been  pushed  past  their 
breaking  point  by  the  war  in 
Iraq,  causing  problems  for 
reservists,  says  the  GAO. 

13  The  TSA  plans  tests  of  new 

airport  security  technologies, 
but  lawmakers  and  industry 
executives  are  frustrated  by 
the  slow  pace  of  deployment. 

15  Wireless  WANs  move  beyond 
fixed  points  as  Washington 
State  Ferries  plans  to  offer 
Wi-Fi  service  on  its  vessels. 


TECHNOLOGY 

19  Organized  Crime  Invades 
Cyberspace.  Script  kiddies 
and  vandals  get  the  publicity, 
but  pros  with  a  profit  motive 
are  moving  into  cybercrime. 

24  Directory  Assistance.  Virtual 
directories  provide  a  faster, 
easier  way  to  connect  directory- 
dependent  applications  with 
the  user  data  they  need. 

26  QuickStudy:  Fuzzy  Logic.  An 

extension  of  Boolean  logic, 
fuzzy  logic  is  designed  to 
come  up  with  answers  when 
data  is  vague  or  imprecise. 

27  Security  Manager’s  Journal: 
Company  Secrets  Hit  the 
Exits.  Mathias  Thurman  dis¬ 
covers  that  executives  are  free 
to  leave  his  company  with  lap¬ 
tops  loaded  with  strategic  ap¬ 
plications  and  data. 

MANAGEMENT 

33  Petite  Portfolio.  Several  small 
projects  can  add  up  to  big 
risks.  Managing  them  effi¬ 
ciently  requires  a  blend  of 
rigor  and  common  sense. 

36  Who’s  Who  in  IT:  The  Thrill  of 
Crisis.  You  may  think  data¬ 
base  administration  is  a  skill, 
but  DBA  Gary  Rue  knows  it’s 
an  art.  In  his  world,  a  crisis  is 
always  just  around  the  corner. 

37  Book  Reviews:  From  IT 
Governance  to  Hacking. 

These  new  books  can  help 
you  survive  as  a  CIO,  set  up 
effective  IT  governance,  prof¬ 
it  from  agile  project  manage¬ 
ment  and  outwit  hackers. 


OPINIONS 

10  On  the  Mark:  Mark  Hall 

learns  of  ways  to  thwart  theft 
by  iPod,  kill  spam  before  it 
reaches  your  network  and 
create  a  virtual  directory. 

16  Maryfran  Johnson  sees  some¬ 
thing  big  in  Duke  Power’s  de¬ 
cision  to  give  its  framework 
for  .Net  development  to  the 
open-source  community.  But 
the  move  raises  questions 
about  licensing  that  all  IT 
managers  should  investigate. 

16  Dan  Gillmor  thinks  Microsoft 
should  use  some  of  its  billions 
in  reserves  to  ensure  that  the 
next  PC  you  buy  doesn’t  need 
immediate  XP  upgrades. 

17  Pimm  Fox  has  some  advice  for 
the  agency  behind  the  anti¬ 
terror  “no-fly”  list:  Get  the 
technology  right. 

38  Gopal  K.  Kapur  says  project 
managers  tend  to  point  to  two 
key  causes  of  project  failures: 
half-baked  or  harebrained 
ideas  and  excessive  scope 
creep.  What’s  his  solution? 
Just  say  no. 

46  Frankly  Speaking:  Frank 

Hayes  warns  that  before  you 
junk  data  storage  devices, 
remember  that  any  informa¬ 
tion  they  contain  is  dangerous 
in  the  wrong  hands. 

DEPARTMENTS/RESOURCES 


At  Deadline  Briefs . 10 

News  Briefs . 12 

Letters  . 17 

IT  Careers . 40 

Company  Index . 44 

How  to  Contact  CW . 44 

Shark  Tank  . 46 


ONLINE 

WWW.C0MPUTERW0RLD.C0M 


Have  you  installed  Windows  XP  SP2 
at  your  organization? 


Yes, 
problem- 
free 

Yes,  w/major  problems  ^ —  Yes,  w/minor  problems 

©  Take  this  week's  QuickPoll  at  www.computerworld.com. 

SOURCE:  COMPUTERWORLD.COM  NONSCIENTIFIC  SURVEY;  702  VOTES 


QuickPoll  Results 


Phishing:  Are  You  Responsible? 

IT  MANAGEMENT:  Those  e-mails  trying  to 
con  customers  into  parting  with  sensitive 
information  may  not  be  connected  to  your 
company,  but  washing  your  hands  of  the 
mess  is  bad  for  business,  says  new  IT  Ethics 
columnist  Larry  Ponemon. 

©  QuickLink  a4920. 


Apple  Remote  Desktop  2 
‘Well  Worth  the  Money’ 

MACINTOSH:  Columnist  Yuval  Kossovsky 
takes  Apple  Remote  Desktop  2  out  for  a 
spin  and  Finds  that  its  new  management 
features  make  it  an  upgrade  that’s  worthy  of 
consideration.  ©  QuickLink  48931 


What’s  a  QuickLink? 


O  Throughout  each  issue  of 
Computerworld,  you'll 
see  five-digit  QuickLink  codes 
pointing  to  related  content  on 
our  Web  site.  Also,  at  the  end  of 
each  story,  a  QuickLink  to  that 
story  online  facilitates  sharing  it 
with  colleagues.  Just  enter  any 
of  those  codes  into  the  Quick¬ 
Link  box,  which  is  at  the  top  of 
every  page  on  our  site. 


ONLINE 

DEPARTMENTS 

Breaking  News 

©  QuickLink  a1510 

Newsletter 

Subscriptions 

©  QuickLink  a1430 

Knowledge  Centers 

©  QuickLink  a2570 

The  Online  Store 

©  QuickLink  a2420 


COMPUTERWORID  August  30, 2004 


NEWS  SPECIAL  REPORT 


ectations, 


Response  Rise  in  India 


INCREASINGLY  TOUGH  DEMANDS  FROM  U.S.  CLIENTS  SPARK  CHANGE. 
BY  JAIKUMAR  VIJAYAN  BANGALORE 


A  TALL  ELECTRIC  FENCE 
secures  the  perimeter 
of  Wipro  Technolo¬ 
gies’  main  campus  in 
Bangalore’s  Electronic  City. 
Inside,  just  behind  the  sliding 
steel  gates,  is  a  checkpoint 
where  security  personnel 
issue  photo-ID  badges  to 
all  visitors. 

Card  keys  and  biometric 
authentication  devices  control 
access  to  the  various  develop¬ 
ment  centers  in  sleek  build¬ 
ings  dotting  the  landscaped 
campus.  Closed-circuit  TVs 
provide  constant  surveillance. 

At  the  same  time,  an  invisi¬ 
ble  perimeter  of  event  logging 
and  monitoring  tools,  intru¬ 
sion-detection  systems,  fire¬ 
walls  and  encryption  technolo¬ 
gies  protects  the  company’s 
information  infrastructure. 

Such  measures  are  what’s 
needed  to  allay  security  con¬ 
cerns  for  U.S  clients  outsourc¬ 
ing  work  to  Wipro,  said  J.  Paz- 
hamalai,  information  security 
manager  at  the  $1  billion  IT 
services  vendor.  “Data  security 
and  privacy  used  to  be  an  after¬ 
thought,”  Pazhamalai  said. 
“Now  customers  are  talk¬ 
ing  about  it  right  at  the 
RFP  stage  itself.  They 
want  a  security  plan  with 
the  proposal.” 

Wipro  and  other  Indi¬ 
an  outsourcing  vendors 
are  bolstering  their  se¬ 
curity  and  privacy 
practices  in  response 
to  U.S.  concerns  stem¬ 
ming  from  the  compli¬ 
ance  requirements 
of  laws  such  as  Sar- 
banes-Oxley,  Gramm- 
Leach-Bliley  and 
HIPAA.  The  key 
threats  include  unau¬ 


thorized  data  access,  acciden¬ 
tal  information  loss  and  sabo¬ 
tage,  loss  of  intellectual  prop¬ 
erty,  and  damage  from  worms 
and  viruses. 

A  growing  number  of  com¬ 
panies  “are  seeking  stringent 
contractual  guarantees  related 


VIDEO  MONITORING  is 

used  extensively  by  Indian 
service  providers. 


to  the  security  and  privacy  of 
data  that  could  be  remotely 
accessed  as  part  of  IT  applica¬ 
tion  development,  testing  or 
[business  process  outsourc¬ 
ing],”  said  Rusi  Brij,  CEO  of 
Hexaware  Technologies  Ltd., 
a  Mumbai-based  service  pro¬ 
vider  with  facilities  in  Banga¬ 
lore.  “They  are  demanding 
documented,  auditable  proce¬ 
dural  controls.” 

Regulatory  compliance  is 
what’s  driving  much  of  the 
need  for  such  measures,  agreed 
Ram  Mouli,  vice  president  of 
technology  planning  and  de¬ 
velopment  at  T.  Rowe  Price 
Group  Inc.  The  Baltimore- 
based  investment  manage¬ 
ment  firm,  which  manages  as¬ 
sets  worth  more  than  $206  bil¬ 
lion,  has  outsourced  several 
application  development  proj¬ 
ects  to  India. 

“New  regulations  from  the 
SEC  and  other  regulatory 
agencies  have  created  a  need 
for  several  internal  controls 
for  application  development, 
change  control  and  mainte¬ 
nance,”  Mouli  said.  “These 
controls  have  to  be  extended 
offshore  and  monitored.” 

The  result  is  “tremendous 
scrutiny  right  now  on  data  se¬ 
curity,  access  controls  and  pri¬ 
vacy”  related  to  offshore  work, 
said  the  chief  technology  offi¬ 
cer  of  a  Chicago-based  service 
provider  for  the  financial  in- 


A  Painfully  Slow  Process 


JOLLY  TECHNOLOGIES  INC.,  a 
San  Carlos,  Calif.,  maker  of 
labeling  products  for  the 
printing  industry,  is  finding 
out  the  hard  way  just  how 
tough  it  can  sometimes  be  to 
enforce  intellectual  property 
(IP)  protections  in  India. 

In  May,  the  company  set  up 
a  small  software  develop¬ 
ment  center  in  Mumbai. 
Among  the  approximately  20 
people  it  hired  in  the  western 
India  city  was  a  software  en¬ 
gineer  who  in  mid-July  was 
caught  uploading  substantial 
chunks  of  Jolly  source  code 


The  ability  for 
employees  to 
carry  data  out  of  the 
facility  is  minimized 
to  what  they  can 
carry  in  their  heads. 


SUNIL  GUJRAL,  VICE  PRESIDENT  OF 
TECHNOLOGY.  WIPRO  SPECTRAMIND 


dustry  who  spoke  on  condi¬ 
tion  of  anonymity.  “Some  of 
our  customers  have  asked  us 
to  fill  out  extraordinarily  de¬ 
tailed  questionnaires  in  which 
they  ask  us  to  attest  to  our  se¬ 
curity  controls  so  they  in  turn 
can  include  that  in  their  com¬ 
pliance  documents,”  he  said. 

The  trend  is  resulting  in  a 
much  greater  focus  by  both 
U.S.  companies  and  their  Indi¬ 
an  vendors  on  issues  such  as 
security  certifications  and 
audits,  identity  management 
and  application  provisioning, 
and  on  detailed  event  logging 
and  monitoring  activities  (see 
“Security  Checklist,”  page  7). 

There’s  no  question  that  se¬ 
curity  expectations  have  risen 
sharply,  said  S.  Gopalakrish- 
nan,  chief  operating  officer  at 
Bangalore-based  Infosys  Tech¬ 
nologies  Ltd.,  one  of  India’s 
largest  IT  services  vendors, 
with  revenue  of  more  than 


to  her  Yahoo  personal  e-mail 
account. 

The  woman,  who  admitted 
the  theft,  was  immediately 
fired,  and  a  complaint  was 
filed  with  the  Mumbai  police 
department  soon  afterward, 
said  Brett  Changus,  Jolly's 
chief  financial  officer. 

“Unfortunately,  that’s 
pretty  much  where  things 
are,  even  now,”  Changus  said 
last  week.  “The  police  there 
appear  to  be  having  a  hard 
time  comprehending  what 
IP  is  and  how  important  it  is 
to  us.” 


As  a  result,  more  than  a 
month  after  the  complaint 
was  filed,  no  action  has  been 
taken  against  the  woman, 
Changus  said.  In  frustration, 
the  company  earlier  this 
month  decided  to  file  a  law¬ 
suit  against  the  Mumbai  po¬ 
lice  department  over  its  al¬ 
leged  failure  to  take  action  in 
the  case. 

“There  are  IP  protection 
laws  there,  but  so  far,  we 
have  received  zero  protec¬ 
tion,”  Changus  said. 

The  Mumbai  police  could 
not  be  reached  for  comment. 

The  incident  has  prompted 
Jolly  to  reassess  its  India 
strategy,  Changus  said.  “We 
obviously  took  whatever  pre- 


$1  billion.  “It’s  become  a  lot 
more  explicit  now.  We’ve  had 
to  improve  on  and  formalize  a 
lot  of  things”  from  a  data  secu¬ 
rity  standpoint,  he  said. 

One  example  is  a  backup 
storage  site  that  Infosys  recent¬ 
ly  established  outside  India  in 
nearby  Mauritius.  All  client 
backup  tapes  are  shipped 
weekly  to  the  site  as  a  precau¬ 
tion.  In  addition,  each  client 


cautions  we  could.  But  if  we 
can’t  protect  our  IP,  there  is 
no  way  we  can  do  business 
there,”  he  said.  “People  have 
to  know  that  they  just  can’t 
steal  confidential  information 
and  get  away  with  it.” 

India’s  IT  trade  organiza¬ 
tion,  the  New  Delhi-based 
National  Association  of  Soft¬ 
ware  and  Service  Companies 
(Nasscom),  is  acutely  aware 
that  the  country’s  flourishing 
IT  industry  could  be  damaged 
if  data  protection  can’t  be 
enforced. 

The  organization  recently 
launched  an  education  cam¬ 
paign  aimed  at  judicial  and 
police  authorities  as  well  as 
the  ministries  of  IT  and  law. 


has  been  assigned  a  standby 
backup  facility  in  an  alternate 
location,  Gopalakrishnan  said. 

Indian  business  process  out¬ 
sourcing  (BPO)  companies, 
which  typically  handle  a  lot 
more  sensitive  information 
when  servicing  their  clients 
than  pure  IT  development 
shops,  take  extra  precautions. 

Wipro  Spectramind,  a  $95 
million  BPO  subsidiary  of 


association  vice  president 
Sunil  Mehta  said.  The  idea  is 
to  create  a  much  broader 
awareness  of  the  need  for 
enacting  legislation  that  can 
be  more  easily  enforced. 

Nasscom  is  also  working 
with  IT  companies  to  build  a 
database  that  vendors  can 
use  to  more  quickly  and  reli¬ 
ably  verify  an  employee’s 
professional  education  and 
other  background  informa¬ 
tion,  Mehta  said. 

The  global  database  will  be 
compiled  with  input  from 
Nasscom’s  members  but 
won’t  be  used  as  an  instru¬ 
ment  for  blacklisting  employ¬ 
ees,  he  said. 

-  Jaikumar  Vijayan 


Wipro,  prohibits  employees 
from  carrying  mobile  phones 
or  pens  and  paper  to  their 
work  areas.  “The  ability  for 
employees  to  carry  data  out 
of  the  facility  is  minimized  to 
what  they  can  carry  in  their 
heads,”  said  Sunil  Gujral,  vice 
president  of  technology. 

As  with  other  BPO  outfits 
and  many  IT  development 
shops,  at  Spectramind,  any 
ports  and  devices  that  can  be 
used  to  store  or  copy  data  are 
disabled  on  all  PCs  and  note¬ 
books  that  employees  might 
need  to  use  to  deliver  services 
for  U.S.  clients.  A  majority  of 
its  call  center  agents  access 
customer  systems  via  bare- 
bones  Citrix  Systems  Inc.  ter¬ 
minals  that  provide  no  avenue 
for  data  to  be  stored  or  copied. 

“[Spectramind]  only  has  the 
ability  to  view  [our]  data,”  said 
Chris  Larsen,  CEO  of  E-Loan 
Inc.,  a  Pleasanton,  Calif. -based 
online  provider  of  consumer 
loans  that  has  outsourced  a 
portion  of  its  back-office 
home-equity  underwriting 
functions  to  Spectramind. 
“They  do  not  have  the  ability 
to  store,  share,  print  or  retain 
data  in  their  India-based  com¬ 
puters  and  systems.” 

E-Loan  also  uses  a  variety  of 
technologies  from  companies 
such  as  Tripwire  Inc.  and 
open-source  tools  like  Nagios 
to  monitor  and  log  activity  at 
Spectramind,  Larsen  added. 

Ongoing  Risks 

Despite  the  measures  to  bol¬ 
ster  security,  the  relative 
dearth  of  security  profession¬ 
als  in  India,  the  breakneck 
growth  of  its  IT  industry  and 
an  onerous  legal  system  con¬ 
tinue  to  pose  risks  that  must 
not  be  overlooked,  cautioned 
Samir  Kapuria,  an  analyst  at 
@stake  Inc.,  a  Cambridge, 
Mass.-based  consultancy. 

Much  of  the  growth  in  Indi¬ 
an  IT  jobs  over  the  past  few 
years  has  been  in  areas  such  as 
application  development  and 
maintenance,  rather  than  in  a 
“niche  job”  such  as  IT  securi¬ 
ty,  Kapuria  noted. 

On  paper  at  least,  India  has 
several  laws  that  cover  data  se¬ 
curity  and  privacy  issues.  The 
most  prominent  one  is  the  In¬ 
dian  Information  Technology 


AT  WIPRO,  a  fortified  physical  perimeter  is  complemented  by  an  invisi¬ 
ble  perimeter  of  intrusion-detection  systems,  firewalls  and  encryption. 


Act  of  2000,  which  makes 
the  unauthorized  use  of  data 
a  punishable  offense.  But  time¬ 
ly  enforcement  of  such  laws 
could  prove  difficult,  given  the 
excruciatingly  slow  pace  of  the 
country’s  legal  system.  That 
poses  a  significant  threat  from 
an  intellectual  property  protec¬ 
tion  standpoint,  Kapuria  said. 

Moreover,  the  distance  fac¬ 
tor  can  help  conceal  risky  prac¬ 
tices,  especially  when  dealing 
with  smaller  firms.  For  exam¬ 
ple,  a  fast-growing  BPO  com¬ 
pany  that  was  recently  moving 
to  a  larger  facility  decided  to 
move  some  of  its  servers  to  a 
nearby  Internet  cafe,  where  it 
connected  to  its  U.S.  clients, 
because  of  a  delay  in  the  open¬ 
ing  of  its  new  facility. 

And  although  the  practice 
appears  to  be  rare,  Indian  firms 
have  been  known  to  subcon¬ 
tract  work  out  to  companies  in 
other  countries  without  the 
knowledge  of  the  U.S.  client 
and  with  none  of  the  security 
measures  that  might  have  been 
originally  agreed  upon. 

But  the  reputable  providers 
appear  to  have  gotten  the  se¬ 
curity  message  from  their 
clients.  It’s  no  longer  enough 
for  Indian  companies  to  “sim¬ 
ply  say  they  are  addressing 
the  issue,”  Gopalakrishnan 
acknowledged.  “They’ve  got 
to  be  able  to  show  how  they 
are  addressing  it.”  ©  49098 

MORE  ONLINE 

For  related  news,  visit  our  Offshore 
Outsourcing  special  coverage  page: 

OQuickLink  a4800 

www.computerworld.com 


Security 

Checklist 

■  REQUIRE  Indian  vendors 
to  have  their  development 
centers  audited  by  estab¬ 
lished  firms  or  be  certified 
under  international  data  se¬ 
curity  and  audit  standards 
such  as  BS7799  or  SAS70. 
Many  companies  also  re¬ 
serve  the  right  to  do  spot 
audits  and  checks. 

■  ENSURE  the  use  of  encryp¬ 
tion,  firewalls  and  intrusion- 
detection  systems  to  deal 
with  malicious  attacks.  To 
watch  for  insider  threats, 
companies  have  begun 
mandating  content-filtering 
tools  and  event  logging  and 
monitoring  technologies  on 
the  networks  connecting 
U.S.  clients  with  their  Indian 
providers. 

■  CONDUCT  rigorous  back¬ 
ground  checks  on  employ¬ 
ees  and  require  them  to 
sign  confidentiality  agree¬ 
ments  prohibiting  the  dis¬ 
closure  of  proprietary  infor¬ 
mation  when  they  leave  the 
company. 

■  FOCUS  on  physical  secu¬ 
rity  and  access-control  sys¬ 
tems,  business  continuity 
and  disaster  recoverability. 
Many  companies  insist  on 
off-site  storage  and  alter¬ 
nate  sites. 


COMPUTERWORLD  August  30. 2004 


NEWS  SPECIAL  REPORT 


www.computerworld.com 


Overcoming  the 
Piracy  Stigma  in  China 


PROVIDERS  ‘OVERCOMPENSATE’  FOR  THE  RISK.  BY  SUMNER  LEMON  SHANGHAI 


Walk  into  the  access- 

controlled  room  full  of 
software  developers  at 
Bleum  Inc.’s  headquar¬ 
ters  here  and  you  can’t  miss 
the  slogan  written  in  large 
blue  and  black  letters  that 
stretches  across  the  far  wall: 
“Protect  our  customer.” 

The  message  is  there  to 
serve  as  a  constant  reminder 
for  Bleum’s  team  of  English- 
speaking  software  engineers 
of  the  importance  of  keeping 
clients’  software  code  secure, 
said  Eric  Rongley,  the  out¬ 
sourcing  service  provider’s 
founder  and  CEO. 

Concerns  about  the  protec¬ 
tion  of  intellectual  property 
and  proprietary  corporate 
data  are  hardly  unique  to  Chi¬ 
na.  But  the  security  risks  are 
greater  here  than  in  locations 
such  as  India  or  Eastern  Eu- 
|  rope,  Rongley  said.  “It’s  defi- 
5  nitely  in  the  interests  of  a 
j  company  here  to  overcompen- 
E  sate  for  it,”  he  said. 

S  China’s  poor  reputation  for 


intellectual  property  protec¬ 
tion  stems  largely  from  the 
widespread  availability  of  pi¬ 
rated  DVD  movies  and  soft¬ 
ware.  Last  month,  the  Business 
Software  Alliance  in  Washing¬ 
ton  estimated  that  92%  of  soft¬ 
ware  used  in  China  during 
2003  was  unlicensed  and  ille¬ 
gal.  That  figure  tied  the  coun¬ 
try  with  Vietnam  for  the  dubi¬ 
ous  distinction  of  having  the 
world’s  highest  piracy  rate. 

But  a  high  piracy  rate  for 
packaged  applications  doesn’t 
inherently  place  outsourced 
software  development  proj¬ 
ects  at  risk,  said  Chen  Ling- 
sheng,  vice  president  of 
greater  China  at  BearingPoint 
Inc.,  calling  security  concerns 
in  China  overblown.  Out¬ 
sourcing  projects  to  compa¬ 
nies  in  China  can  be  as  secure 
as  it  is  anywhere  else,  he  said. 

“We  had  a  major  financial 
client  from  the  U.S.  come  over 
here  to  do  a  security  audit  be¬ 
fore  they  would  give  us  a  proj¬ 
ect,  and  we  passed  the  audit,” 
Chen  said,  noting  that  Bear¬ 
ingPoint  follows  the  same  se¬ 
curity  procedures  in  China 
that  it  uses  in  the  U.S. 

In  addition  to  conducting 
security  audits,  those  proce¬ 
dures  include  strictly  enforc¬ 
ing  nondisclosure  agreements 
and  restricting  development 
work  to  facilities  that  require  a 
keycard  for  access. 

BearingPoint  and  other  out¬ 
sourcing  service  providers  in 
China  are  willing  to  go  even 
further  to  meet  their  cus¬ 
tomers’  security  demands.  For 
example,  BearingPoint  devel¬ 
opers  have  access  only  to  code 
and  project  documentation. 

“As  an  outsourcing  service 
provider,  we  take  it  very  seri¬ 
ously  to  protect  our  clients’ 


secrets  and  business  data,” 
said  Walter  Fang,  group  vice 
president  and  chief  technolo¬ 
gy  officer  at  Neusoft  Group 
Ltd.,  a  Chinese  software  com¬ 
pany  based  in  the  northeast¬ 
ern  city  of  Shenyang.  Neusoft 
employs  1,500  developers  who 
work  on  outsourcing  projects 
at  several  locations  in  China. 

Neusoft  allocates  separate 
buildings  for  major  clients 
such  as  Toshiba  Corp.  and 
Alpine  Electronics  Inc.,  and  it 
restricts  access  to  the  build¬ 
ings  to  staff  working  with 
those  companies,  Fang  said. 

On-site  offices  are  available 
to  each  client’s  project  man¬ 
agers,  and  Neusoft  can  pro¬ 
vide  them  with  individual 


sourced  development  projects, 
BearingPoint  has  offered  to  in¬ 
stall  video  cameras  to  monitor 
work  in  project  rooms  at  its 
facilities  in  Shanghai  and  the 
northeastern  Chinese  city  of 
Dalian,  Chen  said. 

At  Bleum’s  highest  level  of 
security,  Rongley  said,  the 
company  offers  a  “shadow 
group”  of  developers  who  are 
given  financial  incentives  to 
uncover  vulnerabilities  in  soft¬ 
ware  developed  by  the  lead 
development  team. 

The  shadow  developers  ex¬ 
amine  the  code  for  security 
holes  such  as  back  doors  or 
opportunities  for  buffer  over¬ 
flows  that  would  allow  attack¬ 
ers  to  run  executable  code. 


DEVELOPERS  at  work  inside  BearingPoint’s  Global  Development  Center 
in  Shanghai  have  access  only  to  code  and  project  documentation. 


phone  lines  rather  than  com¬ 
pany  extensions,  he  said. 

Aside  from  physical  securi¬ 
ty  measures,  Fang  said  foreign 
companies  can  build  effective 
legal  protections  into  their 
contracts  with  outsourcing 
providers  in  China.  For  exam¬ 
ple,  Neusoft’s  contracts  with 
its  Japanese  clients  are  typi¬ 
cally  designed  to  be  enforce¬ 
able  in  both  Japan  and  China 
while  offering  an  avenue  for 
arbitration  with  a  third  party 
under  Hong  Kong  law,  he  said. 

For  companies  that  want 
to  keep  a  closer  eye  on  out- 


While  these  and  other  mea¬ 
sures  may  help  to  guarantee 
the  security  of  a  customer’s 
code  and  data,  the  best  way 
to  improve  intellectual  prop¬ 
erty  protection  in  China  is 
to  change  cultural  attitudes, 
according  to  Rongley.  He 
noted  that  service  providers 
can  advance  the  cause  through 
training  sessions  and  staff 
meetings. 

And  even  slogans  on  the 
wall.  O  49092 


Lemon  is  the  IDG  News  Service 
correspondent  in  Taipei. 


Lead  writer:  JaikumarVijayan  ■  Contributing  writer:  Sumner  Lemon 
Designer:  Julie  Quinn  ■  Editor:  Don  Tennant 


where  information  li' 


■  >*1  ■■■i  \ 
v'" 

, 

■:T-y:Z‘  .•> 


Fr:  wondering  how  to  get  more  out  of  information 


To:  starting  to  do  it  tomorrow 


Toronto,  Ontario,  Canada 
September  8 
Los  Angeles,  September  15 
Boston,  September  21 
Minneapolis,  October  5 
Sao  Paulo,  Brazil 
October  5 

Attendance  is  FREE,  but 
seats  are  limited.  Register  now. 

f  AT&T 

The  world's  networking  company 


At  an  EMC  Forum,  see  how  today’s  storage  and  informati 

STRATEGIES  CAN  HELP  YOU  SOLVE  YOUR  BIGGEST  IT  CHALLENGES 


value  of  information,  at  the  lowest  total  cost  of  ownership,  at  every  point 

In-depth  presentations,  EMC  and  industry  experts,  best-practice  reviews, 
Q&A  sessions  give  you  insights  on  how  to: 


Simplify  Exchange  &  Oracle  migrations 
Align  data  value  to  business  needs 
Simplify  storage  management 


Gain  measurable  TCO  savings 
Meet  compliance  regulations 
And  much  more 


BROCADE 


See  up-to-date  seminar  details,  agendas,  and  more  on  our  registration  site. 

Register  now  at  www.EMC.com/forumseries. 


■  ■ 

m-^2 


m 


■ 


*3* 


i  :: 


;';r 


Platinum  Sponsors 


18  C&MPUTERWORLO  August  30, 2004 


NEWS 


www.computerworld.com 


Storage  Subsystem 
Out  of  Longhorn 

Microsoft  Corp.  announced  Friday 
a  change  in  plans  for  the  next  ma¬ 
jor  release  of  Windows,  which  is 
code-named  Longhorn.  The  new 
Windows  storage  subsystem, 
code-named  WinFS,  won’t  be  part 
of  the  Longhorn  client,  as  previ¬ 
ously  planned.  Microsoft  said 
WinFS  will  be  delivered  after  the 
Longhorn  release.  The  company 
said  the  Longhorn  client  is  target¬ 
ed  for  generally  availability  in 
2006.  It  said  it  expects  the  Long¬ 
horn  server  release  to  be  available 
in  2007. 


Cisco  Warns  of 
Two  Security  Flaws 

Cisco  Systems  Inc.  last  week 
warned  about  security  holes  in 
two  products  that  provide  user 
authentication  and  authorization 
services:  the  Cisco  Secure  Access 
Control  Server  for  Windows,  and 
the  Cisco  Secure  Access  Control 
Server  Solution  Engine.  Qisco  rec¬ 
ommended  that  customers  with 
service  contracts  obtain  the  up¬ 
dates  using  the  Cisco  Product  Up¬ 
grade  Tool  or  by  contacting  its 
Technical  Assistance  Center. 


Oracle  Again  Moves 
Offer  for  PeopleSoft 

Oracle  Corp.  on  Thursday  filed  an¬ 
other  extension  in  its  hostile  $7.7 
billion  bid  to  acquire  PeopleSoft 
Inc.,  this  time  pushing  the  dead¬ 
line  ahead  two  weeks  to  Sept.  10. 
Oracle  said  it  now  has  21.7  million 
tendered  shares  -  6%  of  People- 
Soft’s  outstanding  total. 


U.K.  Agency  Adopts 
Sun’s  Java  Desktop 

The  U.K.’s  National  Health  Ser¬ 
vice  last  week  said  it  purchased 
5,000  licenses  for  Sun  Microsys¬ 
tems  Inc.’s  Java  Desktop  System 
as  an  alternative  to  Windows.  The 
NHS  is  spending  $9  billion  to  up¬ 
grade  its  IT  infrastructure.  It  be¬ 
gan  evaluating  the  use  of  Sun’s 
open-source  desktop  system  in 
December. 


C  ONTHEMARK 


HOT  TECHNOLOGY  TRENDS,  NEW  PRODUCT 
NEWS  AND  INDUSTRY  GOSSIP  BY  MARK  HALL 


Ways  to  Steal . . . 

. . .  critical  corporate  information.  So  warns  Gartner  Inc. 
in  a  report  detailing  how  data  crooks  can  use  port¬ 
able  music  players  like  Apple  Computer  Inc.’s  iPod 
to  rob  you  blind  [QuickLink  47983].  Vladimir  Cher- 
navsky,  CEO  of  AdvancedForce  InfoSecurity  Inc.  in 
San  Ramon,  Calif.,  amplifies  that  concern  by  includ¬ 
ing  Bluetooth  devices,  floppy  disks,  CDs  and  virtu¬ 


ally  anything  that  can  store 
data  and  use  a  pair  of  legs  to 
leave  the  premises.  “Someone 
carrying  a  hard  drive  out  of  a 
building  would  be  suspicious, 
but  carrying  an  iPod  is  not,” 
he  observes.  “Now  everyone 
is  potentially  James  Bond.”  As 
you  would  expect,  Chernav- 
sky  has  a  solution:  Device- 
Lock.  His  company  has  the 
exclusive  North  American 
rights  to  sell  the  software 
from  its  Russian  authors  at 
SmartLine  Inc.  DeviceLock 
is  designed  to  prevent  data 
from  being  written  to  any 
device  type.  But  it’s  flexible 
enough  that  you  can,  for  ex¬ 
ample,  permit  Universal  Seri¬ 
al  Bus  keyboards  to  be  used, 
but  not  USB  storage  systems. 
A  new  release  coming  in 
November  will  let  you  cen¬ 
trally  log  the  files  that  you  do 
permit  to  be  written  to  a  mo¬ 
bile  device,  so  you’ll  know 
whether  an  executive  is  up¬ 
dating  his  Bluetooth  unit’s 
contact  list  or  downloading 
your  entire  customer  file.  It 


runs  $35  for  a  single  license, 
but  that  price  can  fall  to  less 
than  $7  when  you  get  1,000  or 
more  licenses.  Think  of  it  as  a 
little  something  from  Russia 
with  love. 

Kill  Spam  Before . . . 

...  it  reaches 
your  network. 

That’s  the 
wisdom  from 
Scott  Petry, 
chief  technol¬ 
ogy  officer 
and  founder 
of  Postini 
Inc.  in  Red¬ 
wood  City, 
Calif.  He 
claims  that  his  service  stops 
50%  of  the  400  million 
e-mails  destined  for  his  cus¬ 
tomers’  networks  every  day, 
because  they’re  spam.  “If 
you’re  blocking  them  at  your 
gateway,  it’s  much  more  ex¬ 
pensive,”  he  says.  He  argues 
that  service  providers  such 
as  Postini  are  more  efficient 
because  they  can  see  “the 


PETRY:  Service 
providers  are 
the  best  way  to 
stop  spam. 


SMTP  conversation”  on  the 
Internet  and  quickly  identify 
and  remove  spam-  and  virus¬ 
laden  messages.  Petry  says 
privately  held  Postini  is  prof¬ 
itable,  growing  at  close  to 
180%  this  year  and  looking  to 
acquire  companies  in  what  he 
expects  will  be  a  rapidly  con¬ 
solidating  market  over  the 
next  year. 

Event-Driven  Data 
Gets  Pushed . . . 

. . .  to  users’  screens  with  publish- 
and-subscribe  tool.  KnowNow  3 
from  KnowNow  Inc.  in  Sun¬ 
nyvale,  Calif.,  eliminates  the 
need  for  end  users  to  request 
reports  on  data  generated 
across  the  HTTP-based  net¬ 
works.  The  server  software 
“dual  posts”  requested  data 
and  immediately  directs  it  to 
a  user’s  screen  or  to  an  appli¬ 
cation.  For  example,  upon 
completing  an  online  form,  a 
Web  visitor  can  be  instantly 
sent  to  an  available  customer 
service  agent,  or  sales  data 
entered  in  an  ERP  system  can 
be  immediately  sent  to  a  sales 
executive’s  desktop  spread¬ 
sheet.  Version  3,  which  ships 
at  the  end  of  next  month,  in¬ 
cludes  a  new  module  for  Mi¬ 
crosoft  SharePoint  systems, 
more  granular  event  filtering 
and  added  database  support. 
Pricing  starts  at  $15,000. 


Tech  Support 
Goes  Remote . . . 

. . .  with  a  hosted  service  from 
Citrix  Systems  Inc.  GoToAssist 
6.0,  which  is  set  for  release  on 
Sept.  14,  lets  your  technical 
service  reps  remotely  view 
and  control  the  PCs  of  end 
users  who  are  baffled  by  the 
behavior  of  their  Windows 
machines.  The  upgrade  in¬ 
cludes  nifty  improvements 
such  as  giving  technicians  the 
ability  to  remotely  reboot  a 
machine  and  then  retain  the 


Monthly  user 
support  sessions 
handled  by  Citrix 
GoToAssist. 


link  to  the  user’s  PC  after  the 
restart  in  case  the  problem 
persists.  There’s  no  need  for 
the  troubled  end  user  to  have 
client  software,  so  customer 
support  can  be  handled  on  an 
ad  hoc  basis.  Each  session  is 
128-bit  encrypted  for  secure 
communications.  The  service 
works  for  both  desktops  and 
servers,  and  Citrix  is  planning 
Linux  and  Unix  support  in 
the  coming  months.  Pricing 
starts  at  $325  per  month  per 
tech-support  agent,  with  a 
one-time  start-up  charge  of 
$700.  There  are  no  session 
fees  or  end-user  time  limits 
for  the  GoToAssist  service. 


m 


PROMPT: 

Virtual  direc¬ 
tories  are 
the  solution. 


Forget  Centralized 
Directory  Efforts . . . 

.... ,  . . .  because 

they’re 
doomed. 

There  are 
just  too 
many 

sources  with 
too  many 
methods  and 
schemas 
scattered 
throughout 
your  compa¬ 
ny  to  get  under  control.  So, 
should  you  just  give  up? 
Maybe  not.  Michel  Prompt, 
CEO  of  Radiant  Logic  Inc.  in 
Novato,  Calif.,  claims  that  a 
virtual  directory  is  the  solu¬ 
tion.  “Trying  to  centralize 
and  create  the  iiberdirectory 
has  been  a  big  failure,”  he 
says.  “But  virtualization 
works.”  In  effect,  your  users 
query  the  virtual  directory, 
which  handles  the  protocol 
and  other  differences  among 
the  various  directories  linked 
to  it.  Radiant  One  4.0,  which 
ships  this  week,  can  even  vir¬ 
tualize  Web  services.  By  Oc¬ 
tober,  when  4.1  ships.  Radiant 
will  release  federated  securi¬ 
ty  services  that  will  authenti¬ 
cate  users  and  their  rights 
across  multiple  directories. 
Expect  to  pay  about  $50,000 
to  sidestep  nonvirtual  doom. 
O  49095 


-  1  • 


There  is  no  one, 
single  solution 
to  security. 


But  there  is  one 
source  for  ongoing 
security  guidance. 


Go  to  the  Security  Guidance  Center  at  microsoft.com/security/IT 
to  see  the  newest  additions,  including: 


Microsoft®1  Windows®  XP  Service  Pack  2  Download  and  evaluate  the  latest  updates  for 
increased  system  control  and  proactive  protection  against  security  threats. 


Free  Online  Self  Assessment  Complete  this  free,  Web-based  self  assessment  to  help 
you  evaluate  your  organization's  security  practices,  and  indentify  areas  for  improvement. 


Free  Updates  and  E-mail  Alerts  Stay  on  top  of  the  latest  security  issues  quickly  and 
easily  by  signing  up  for  free  Microsoft  Security  Communications. 


Free  Security  Tools  React  more  effectively  to  potential  security  threats.  Take  advantage  of 

free  tools  and  technologies  like  the  Microsoft  Baseline  Security  Analyzer  and  Software  Update  Services. 


Visit  the  Security  Guidance  Center  regularly  for  the  latest  security  developments.  It's  continually  updated 
so  you  can  find  the  tools  and  training  you  need  to  help  better  protect  your  company,  all  at  one  centralized 
resource.  For  proactive  protection  and  ongoing  guidance,  visit  microsoft.com/security/IT  today. 


Microsoft 


©  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft 
Corporation  in  the  United  States  and/or  other  countries. 


12  COMPUTERWORLD  August  30, 2004 


HP’s  Vims  Throttler 
Service  Is  Shelved 

Six  months  after  unveiling  tech¬ 
nology  designed  to  choke  off 
the  spread  of  viruses,  Hewlett- 
Packard  Co.  is  shelving  the  proj¬ 
ect.  The  company  won’t  be  re¬ 
leasing  a  security  service  called 
Virus  Throttler  because  it  requires 
operating  system  changes  that 
are  incompatible  with  Windows, 
HP  said  last  week. 


Cisco  to  Purchase 
P-Cube  for  S200M 

Cisco  Systems  Inc.  said  last  week 
it  has  agreed  to  acquire  Sunny¬ 
vale,  Calif.-based  software  devel¬ 
oper  P-Cube  Inc.  in  a  deal  that 
Cisco  valued  at  $200  million. 
Cisco  plans  to  continue  selling 
P-Cube’s  software,  which  helps 
service  providers  analyze  and 
control  network  traffic,  as  stand¬ 
alone  products.  The  company  said 
it  will  also  work  on  incorporating 
the  technology  into  its  own  hard¬ 
ware  and  software. 


U.S.  Forest  Service 
To  Cut  500  IT  Jobs 

The  U.S.  Department  of  Agricul¬ 
ture  Forest  Service  is  cutting  the 
equivalent  of  500  full-time  IT  jobs 
in  a  reorganization  of  its  IT  de¬ 
partment.  Forest  Service  employ¬ 
ees  won  a  competitive  sourcing 
contract  to  manage  the  IT  depart¬ 
ment.  The  workers  had  bid  against 
undisclosed  private  companies  for 
the  contract,  which  is  valued  at 
$295  million.  The  Forest  Service 
expects  to  save  approximately 
$100  million  over  the  five  years 
the  agreement  is  in  place. 


Short  Takes 

The  U.S.  POSTAL  SERVICE  signed 
a  $35  million  contract  with  SAP 
AMERICA  INC.  for  a  Web-based 
human  resources  application. . . . 
MICROSOFT  CORP.  said  it  has  fin¬ 
ished  work  on  Microsoft  Opera¬ 
tions  Manager  2005,  a  major  up¬ 
date  to  its  MOM  2000  perfor¬ 
mance  management  software. 


NEWS 


www.computerworld.com 


SEC  Deadline  Delay 
Signals  Sarb-Ox  Relief 


JUST  THE  FACTS 

What  happened:  On  Aug.  26,  the  SEC  announced  a  proposal  to 
postpone  for  one  year  an  accelerated  filing  period  for  large  companies  to 
submit  quarterly  and  annual  reports. 

What  it  means:  The  current  deadline  forso-calied  accelerated  filers 
will  remain  at  75  days  for  annual  reports  and  40  days  for  quarterly  reports. 
Accelerated  filers  will  have  60  days  to  file  annual  reports  and  35  days  to  file 
quarterly  reports  for  fiscal  periods  that  end  after  Dec.  15, 2005. 

Why  it  matters:  The  accelerated-filer  postponement  is  expected  to 
make  it  easier  for  big  companies  to  document  their  financial  and  IT  controls 
in  annual  reports  after  Nov.  15,  in  accordance  with  Section  404  of  the 
Sarbanes-Oxley  Act. 


Should  help  ease 
transition  to  new 
reporting  mandates 


BY  THOMAS  HOFFMAN 

HE  U.S.  SECURITIES  and 
Exchange  Commis¬ 
sion  last  week  an¬ 
nounced  that  it  will 
delay  an  accelerated  filing  peri¬ 
od  for  annual  reports  —  a  move 
expected  to  help  big  companies 
transition  more  easily  to  year- 
end  reporting  requirements 
under  the  Sarbanes-Oxley  Act. 

In  2002,  the  SEC  made  a 
change  to  the  Securities  Ex¬ 
change  Act  of  1934  that  short¬ 
ened  the  amount  of  time  com¬ 
panies  would  have  to  file  their 
quarterly  and  annual  reports 
after  the  end  of  a  fiscal  period. 

The  filing  requirements  for 
companies  with  a  market  capi¬ 
talization  of  $75  million  or 
more  shrank  from  90  days 
within  the  close  of  a  business 
cycle  to  75  days  this  year.  It 
was  scheduled  to  be  cut  to  60 
days  next  year. 

But  sources  close  to  the  is¬ 
sue  said  the  SEC  was  being 


pressured  by  big  accounting 
firms  to  maintain  the  75-day  fil¬ 
ing  requirement  for  one  more 
year  to  help  big  companies 
make  their  first  transition  to  a 
year-end  Sarbanes-Oxley  dead¬ 
line.  Under  the  SEC  proposal 
issued  last  week,  the  current 
deadline  for  so-called  accel¬ 
erated  filers  would  remain  at  75 
days  for  annual  reports  and  40 
days  for  quarterly  reports.  The 
accelerated-filing  phase-in  pe¬ 
riod  would  resume  for  reports 
filed  for  fiscal  years  ending  on 
or  after  Dec.  15, 2005.  SEC  reg¬ 
istrants  have  30  days  to  com¬ 
ment  on  the  proposal. 


Under  Section  404  of  the 
Sarbanes-Oxley  Act  of  2002, 
large  companies  must  docu¬ 
ment  in  their  annual  reports 
the  financial  and  IT  controls 
they  have  in  place  for  fiscal 
years  that  end  on  or  after 
Nov.  15,  2004. 

Big  Four  Weigh  In 

The  nation’s  Big  Four  account¬ 
ing  firms  recently  asked  the 
SEC  “that  they  not  push  [the 
filing  requirement]  to  60  days, 
at  least  for  the  moment,  to 
help  companies  deal  with 
these  current  pressures,”  said 
Marios  Damianides,  interna¬ 


tional  president  of  the  Infor¬ 
mation  Systems  Audit  and 
Control  Association  and  the 
Information  Technology  Gov¬ 
ernance  Institute,  both  in 
Rolling  Meadows,  Ill. 

For  the  past  few  weeks,  ru¬ 
mors  have  been  swirling  that 
the  SEC  might  extend  the 
deadline  for  public  companies 
to  meet  Section  404  require¬ 
ments.  But  sources  said  those 
rumors  are  unfounded  and 
were  based  on  misinterpreta¬ 
tions  of  recent  comments 
made  by  SEC  officials;  Section 
404  enforcement  delays  aren’t 
anticipated.  An  SEC  spokes¬ 
man  declined  to  comment. 

“[The  SEC  has]  already 
postponed  Section  404  dead¬ 
lines  twice.  If  they  keep  back¬ 
ing  down  and  do  it  a  third 
time,  people  are  going  to  ques¬ 
tion  their  credibility,”  said  Tim 
Welu,  CEO  of  Paisley  Consult¬ 
ing  Inc.,  a  company  in  Cokato, 
Minn.,  that  develops  software 
for  managing  audits  of  both  IT 
and  financial  controls. 

“I  think  they’d  only  extend 
the  accelerated  filing  period,” 
said  Eric  Clarke,  internal  audit 
director  at  Bresler  &  Reiner 
Inc.,  a  Rockville,  Md.-based 
real  estate  investment  trust. 

“If  they  keep  extending  the 
deadline  for  meeting  Section 
404  requirements,  it  won’t  do 
anything  for  investor  confi¬ 
dence.”  ©  49101 


Regulatory  Demands  Put  Spotlight 
On  Asset  Management  Practices 


Bresler  &  Reiner  Inc.  has  found 
itself  placing  a  lot  more  emphasis 
on  IT  asset  management  prac¬ 
tices  as  a  result  of  pressing  regu¬ 
latory  compliance  demands. 

Earlier  this  year,  the  Rockville, 
Md.-based  real  estate  investment 
trust  installed  an  industry-specif¬ 
ic  accounting  software  package 
that’s  used  by  its  various  proper¬ 
ty  management  companies. 

The  package  was  supplied  by 
Beaverton,  Ore.-based  Timber- 
line  Software  Corp.,  said  Eric 
Clarke,  Bresler  &  Reiner’s  inter¬ 
nal  audit  director. 

To  help  meet  regulatory  re¬ 
quirements  such  as  the  Sar¬ 


banes-Oxley  Act,  “we  want  to 
make  sure  financial  information 
on  our  software  and  servers  is 
adequately  safeguarded  and  that 
we  have  an  adequate  disaster 
recovery  plan  in  place  for  each 
site,”  Clarke  said. 

Indeed,  regulatory  require¬ 
ments  are  forcing  IT  managers  to 
track  their  IT  assets  more  closely, 
said  Jane  Disbrow,  an  analyst  at 
Gartner  Inc.  “If  you  don’t  know 
where  all  your  laptops  and  soft¬ 
ware  are  located,  how  can  you 
tell  regulatory  bodies  that  cus¬ 
tomer  information  is  being  kept 
private?”  she  said. 

IT  asset  management  con¬ 


cerns  are  just  making  their  way 
onto  Zebra  Technologies  Corp.’s 
regulatory  radar  screen.  IT  asset 
management  “is  something  that 
is  on  our  Sarb-Ox  list  a  month 
or  so  into  the  future,”  said  Todd 
Naughton,  vice  president  and 
controller  at  the  print  compo¬ 
nents  supplier  in  Vernon  Hills,  III. 

Sarbanes-Oxley  is  having  a 
two-pronged  affect  on  IT  asset 
management  practices.  Under 
Section  404  of  the  act,  compa¬ 
nies  are  required  to  attest  to  the 
internal  controls  that  are  used  for 
financial  reporting.  These  include 
IT-related  controls  that  firms  have 
in  place  to  effectively  track  and 
monitor  hardware,  plus  software 
used  to  support  financial  report¬ 
ing.  Companies  are  also  required 
under  Sarbanes-Oxley  to  dis¬ 


close  to  regulators  all  material 
financial  exposures  they  have, 
including  IT  equipment  leases 
and  licensing  agreements,  which 
have  to  be  tracked  closely. 

A  soon-to-be-published  sur¬ 
vey  of  220  IT  decision-makers 
by  Boston-based  AMR  Research 
Inc.  found  that  companies  that 
consider  regulatory  compliance 
the  top  business  issue  affecting 
their  security  spending  cite  the 
need  to  invest  in  auditing  and 
asset-tracking  tools  as  their 
No.  1  security  budget  priority. 

-  Thomas  Hoffman 


MORE  SARB-OX 

For  additional  information,  visit  our 
special  coverage  page: 

QuickLink  a3250 
www.computerworld.com 


www.computerworld.com 


NEWS 


wrtfftjWtiiwwaM— 
COMPUTERWORLD  August  30, 2004  13 


Legacy  Army  Payroll  Systems 
Buckle  Under  Weight  of  War 


GAO  audit  finds  that  95%  of  348  active 
reservists  have  had  problems  with  pay 


GAO 


Highlights 

Highlghtaol  uAO-0*-5<  I,  a  wport  io 

eongwaaonal  reqjo stars 


MILITARY  PAY 

Army  Reserve  Soldiers  Mobilized  to 
Active  Duty  Experienced  Significant  Pay 
Problems 


Why  GAO  Did  This  Study 

In  light  of  GAO’s  November  2003 
report  highlighting  significant  pay 
problems  experienced  by  Army 
National  Guard  soldiers  mobilized 
to  active  duty  in  support  of  the 
global  war  on  terrorism  and 
homeland  security,  GAO  was  asked 
to  determine  if  controls  i*ed  to  pay 
mobilized  Army  Reserve  soldiers 
provided  assurance  that  such 
payments  are  accurate  and  timely. 
GAO’s  audit  used  a  case  study 
approach  to  focus  on  controls  over 
three  key  areas:  processes,  people 
(human  capital),  and  automated 
systems 


Whal  GAO  Recommends 


GAO 


is  reiterating  5 


What  GAO  Found 

The  processes  and  automated  ays  terns  relied  on  to  provide  active  duty  pays 
allowances,  and  tax  benefits  to  mobilized  Army  Reserve  soldiers  arv  no 
error  prone,  cumbersome,  and  complex  that  neither  DOD  nor,  more 
Importantly,  Army  Reserve  soldiers  themselves,  could  be  reasonably  assured 
of  timely  and  accurate  payments.  Weaknesses  in  these  areas  resulted  in  pay 
problems.  Including  overpayments,  and  to  a  lesser  extent,  lute  and 
underpayments,  of  soldiers'  active  duty  pays  and  allowances  a:  eight  Army 
Reserve  case  study  units.  Specifically,  332  of  348  soldiers  (1*6  percen,* 
audited  at  eight  case  study  units  that  were  mobilized,  deployed,  ac  ' 
demobilized  at  some  time  during  the  l&month  period  from  Auf 
through  January  2004  had  at  least  one  pay  problem,  J 

Pay  Experience*  el  Eight  Army  Reserve  Ceee  SfciOy  Lhiie 
Army  Reeerve  unit 


System  problems  have  left  many  soldiers 
without  paychecks,  this  GAO  report  says. 


BY  MARC  L.  SONGINI 

The  war  in  Iraq  has  helped 
push  antiquated  U.S.  Army 
payroll  systems  past  their 
breaking  point,  leading  to  wide¬ 
spread  problems  for  reservists, 
according  to  a  U.S.  Govern¬ 
ment  Accountability  Office 
report  issued  this  month. 

So  severe  are  the  problems 
caused  by  the  aging,  stand¬ 
alone  Cobol-based  mainframe 
systems  that  the  GAO  audit 
found  that  95%  of  348  mobi¬ 
lized  reserve  soldiers  had  at 
least  one  payroll  problem.  The 
glitches  included  both  over¬ 
payments  and  underpayments, 
as  well  as  delayed  disburse¬ 
ments.  Some  troops  had  nu¬ 
merous  payroll  problems,  and 
it  took  more  than  a  year  to 
correct  some  of  them. 

Both  the  system  itself, 
called  the  Defense  Joint  Mili¬ 
tary  Pay  System-Reserve 
Component  (DJMS-RC),  and 
the  attendant  human  process¬ 
es  are  “so  error-prone,  cum¬ 
bersome  and  complex”  that 
the  soldiers  affected  can’t  be 
assured  of  timely  and  accurate 
payment  for  duty  served,  said 
the  GAO  study.  The  result  has 
been  a  “profound  adverse  af¬ 
fect  on  individual  soldiers  and 
their  families,”  it  said. 

System  Limitations 

One  major  weakness  stems 
from  a  lack  of  integration  be¬ 
tween  the  DJMS-RC  and  relat¬ 
ed  U.S.  Army  personnel  appli¬ 
cations.  The  payment  system 
was  also  hampered  by  proc¬ 
essing  limitations,  requiring 
“significant  manual  effort”  to 
make  up  for  the  shortcomings. 

The  GAO  cited  one  case  in 
which  a  soldier  received  an 
overpayment  of  $24,000  when 
a  revocation  of  his  mobiliza¬ 
tion  status  wasn’t  automatical¬ 
ly  reported  to  the  payroll  sys¬ 
tem  due  to  the  gaps  between 
the  personnel  system  and  the 


DJMS-RC.  And  because  of  the 
DJMS-RC’s  computational 
limits,  accounting  for  vari¬ 
ables  such  as  hardship  duty  re¬ 
quires  manual  input. 

The  Defense  Finance  and 
Accounting  Service  (DFAS), 
which  oversees  the  DJMS-RC, 
has  acknowledged  that  the 
system  is  “aging,  unrespon¬ 
sive,  fragile  and  a  major  im¬ 
pediment  to  efficient  and 
high-quality  customer  ser¬ 
vice,”  according  to  the  GAO. 

Increased  Risk  of  Error 

A  DFAS  spokesman  said  the 
DJMS-RC’s  limitations  were 
exacerbated  by  the  war  in 
Iraq;  prior  to  the  war,  the  sys¬ 
tem  primarily  handled  pay  for 
drilling  exercises  and  not  for 
the  12-  or  18-month  deploy- 


BY  DAN  VERTON 

WASHINGTON 

The  Transportation  Security 
Administration  last  week  an¬ 
nounced  a  series  of  pilot  tests 
of  IT-based  programs  to  bol¬ 
ster  airport  security.  And  TSA 
Administrator  David  M.  Stone 
said  the  agency  is  only  “days 
or  weeks”  away  from  deploy¬ 
ing  a  revamped  version  of  its 
controversial  passenger¬ 
screening  system. 

The  TSA  selected  two  addi¬ 
tional  airports  —  the  Norman 
Y.  Mineta  San  Jose  Interna¬ 
tional  Airport  and  the  Helena 
Regional  Airport  in  Montana 
—  to  participate  in  its  Access 
Control  pilot  program.  That 
brings  the  total  number  of  air¬ 
ports  in  the  program,  which 
began  in  April,  to  10. 

The  pilot  program  will  test 
a  wide  range  of  technologies, 
including  radio  frequency 
identification  (RFID)  systems, 
antipiggybacking  systems,  ad- 


ments  now  taking  place  in  the 
Middle  East.  “Anytime  a  sys¬ 
tem  requires  human  interven¬ 
tion,  you  increase  the  risk,” 
the  spokesman  said. 

Acknowledging  the  system’s 
limitations,  the  Defense  De¬ 
partment  has  launched  a  train¬ 
ing  program  for  support  per¬ 
sonnel  and  is  rolling  out  an  im¬ 
proved  payroll  system  based 
on  PeopleSoft  Inc.’s  PeopleSoft 
Enterprise,  which  will  begin  to 
go  live  next  spring. 

Once  in  place,  the  applica¬ 
tion  will  integrate  the  pay 
processes  for  reservists  and 
active  Army  personnel  and 
end  the  need  for  manual  work¬ 
arounds  while  improving  sta¬ 
bility  and  eliminating  many  of 
the  problems  identified  by  the 
GAO,  said  the  spokesman. 

That  system  will  later  be 
phased  out  in  favor  of  the  larg¬ 
er  Defense  Integrated  Military 
Human  Resources  Systems 


vanced  video  surveillance 
technology  and  various  bio¬ 
metric  systems.  The  goal  of 
the  tests,  which  will  run 
through  the  end  of  the  year,  is 
to  identify  technologies  that 
allow  only  authorized  airport 
personnel  and  vehicles  to  ac¬ 
cess  secure  areas  of  an  airport. 

The  announcement  was 
welcomed  by  members  of 
Congress,  who  expressed  frus¬ 
tration  with  the  pace  of  tech- 


(DIMHRS),  which  was  first 
announced  in  August  2001  and 
is  also  built  on  PeopleSoft 
[QuickLink  a4940J.  Eventually, 
the  human  resources  and  pay¬ 
roll  applications  will  function 
as  a  single  integrated  system, 
although  progress  on  the 
DIMHRS  implementation  has 
been  slow  [QuickLink  41815]. 

While  “significant  design 
work  has  been  completed”  on 
the  DIMHRS  project,  exten¬ 
sive  testing  will  be  required 
before  implementation  can  be- 


nology  efforts  to  support 
homeland  security.  At  a  hear¬ 
ing  of  the  House  Transporta¬ 
tion  and  Infrastructure  avia¬ 
tion  subcommittee  last  week, 
lawmakers  urged  Stone  not  to 
let  a  desire  to  find  the  perfect 
technology  delay  the  deploy¬ 
ment  of  something  that  is 
“good  enough”  for  now. 

Some  lawmakers  and  airline 
industry  executives  argued 
that  TSA  programs  have  been 
hindered  by  a 
lack  of  standards 
for  biometric 
technologies  and 
a  government  bu¬ 
reaucracy  that 
remains  inca¬ 
pable  of  sharing 
information  and 
setting  priorities 
three  years  after 
the  Sept.  11,  2001, 
terrorist  attacks. 

“Many  airports 
are  willing  to  de¬ 


gin,  said  Norma  St.  Claire,  a 
DOD  director  of  joint  require¬ 
ments  and  integration.  De¬ 
ployment  to  the  Army,  the 
first  branch  to  go  online,  will 
start  in  the  first  quarter  of 
2006,  she  said.  St.  Claire  added 
that  while  the  DOD  wants  the 
software  to  be  as  “vanilla”  as 
possible,  “sometimes  there  are 
mission  requirements  that  are 
not  supported  by  the  commer¬ 
cial  product,  and  a  few  mod¬ 
ifications  will  be  needed.” 

©  49108 


ploy  biometric  technologies 
but  are  reluctant  to  do  so  until 
the  Department  of  Homeland 
Security  issues  guidance  and 
makes  clear  what  types  of  bio¬ 
metric  systems  will  meet  its 
standards  in  the  future,”  said 
Rep.  John  Mica  (R-Fla.),  chair¬ 
man  of  the  House  Aviation 
subcommittee.  “Someone  at 
DHS  just  needs  to  make  a  de¬ 
cision,  and  the  rest  will  fall 
into  place.” 

Capt.  Duane  Woerth,  presi¬ 
dent  of  the  Air  Line  Pilots  As¬ 
sociation,  said  that  when  his 
organization  began  working 
with  the  IT  industry  and  the 
government  to  establish  a  bio¬ 
metric  standard,  it  expected 
the  effort  to  take  about  six 
months. 

“Every  airline  employee 
[had  his]  background  checked 
and  was  fingerprinted  three 
years  ago,”  said  Woerth. 
“Three  years  later,  we  don’t 
have  anything.  Three  years 
later,  we’re  told  we  might 
have  a  pilot  program.  That’s 
unacceptable.”  ©  49109 


TSA  Readies  Security  Systems  Rollout 


II 


COMPUTERWORLD  August  30, 2004 


www.computerworld.com 


Continued  from  page  1 

Disaster  Plans 


age  networking  environments. 

Firms  were  asked  what  re¬ 
covery  strategies  they  use, 
what  they  consider  to  be  best 
practices  and  what  cost/risk 
trade-offs  and  regulations  are 
driving  their  strategies.  They 
were  also  asked  what  invest¬ 
ments  in  disaster  recovery 
they  will  make  in  the  next  year. 

For  security  reasons,  the 
banks  were  unwilling  to  share 
specific  strategies  publicly, 
but  Baumann  said  a  common 
concern  was  the  need  to  find  a 
data  recovery  methodology 
that’s  efficient  and  scalable 
and  meets  the  needs  of  inter¬ 
nal  customers. 

“We’d  all  like  to  have  an 
open  checkbook  to  do  every¬ 
thing  right  now.  We’d  like  to 
do  it  at  a  price  tag  our  compa¬ 
nies  are  willing  to  spend,”  Bau¬ 
mann  said.  “It’s  not  so  much 
getting  the  money.  It’s  putting 
together  the  right  business 
case  to  say,  ‘Here’s  why  we 
should  be  doing  this.’  ” 

Cost  Pressures 

Virginia  Garcia,  an  analyst  at 
TowerGroup  in  Needham, 
Mass.,  said  the  discussion  is 
unique  among  financial  ser¬ 
vices  firms,  which  have  been 
squeamish  about  sharing  IT 
data  because  they  consider  it  a 
competitive  advantage. 

But  with  disaster  recovery 
spending  totaling  1%  to  2%  of 
financial  firms’  budgets  — 
that’s  roughly  $2  billion  per 
year  for  U.S.  banks  —  building 
business  continuity  through 
best  practices  is  becoming  a 
necessity. 

“This  spending  is  growing 
well  into  double  digits  —  an 


Participating  Banks 


a  Huntington  Bencshares  Inc. 
a  Bank  of  America  Corp. _ 

x  Wachovia  Corp. 

»  BankOsie  Gorp^  _ 

r»  CtHmrieajnc,  _____ 

*  US  BancorR 

• - 


4 


"  Chase  &  Co. 

Group  §11 


Key  Project  Findings 


■  Banks  are  increasingly  using  higher  levels  of  automation  to  mini- 

mize  recovery  complexity. _ 

■  Market  dynamics  are  demanding  that  large  firms  provide  faster 

recovery  capabilities  at  lower  cost  and  with  less  risk. _ 

■  Financial  firms  are  increasingly  integrating  technology  recovery 

capabilities  into  systems. _ 

■  Banks  are  giving  increased  consideration  to  large-scale  disasters 
and  are  mitigating  risks  with  multiple,  wide-area  recovery  locations. 

■  Banks  are  moving  toward  internal  recovery  centers  and  away 
from  third-party  recovery  centers. 


increase  of  17%  a  year,”  Garcia 
said.  “There’s  a  very  concert¬ 
ed  effort  in  the  banking  indus¬ 
try  to  get  a  better  handle  on 
risk  management  spending  at 
the  operational  level.” 

Charles  Wollmen,  manag¬ 
ing  executive  director  of  the 
FSTC’s  business  continuity 
standing  committee,  said  there 
were  several  revelations  from 
the  project.  For  example, 
banks  said  they  are  more 
tightly  integrating  recovery 
activities  into  IT  systems  de¬ 
sign  and  incorporating  them 
into  day-to-day  production 
practices.  Companies  are  also 
moving  toward  more  automa¬ 
tion  to  reduce  recovery  times 
and  eliminate  human  error. 

Garcia  agreed  with  those 
findings,  saying  banks  are 
quickly  moving  away  from 


tape  backups  and  choosing 
disk-to-disk  mirroring  of  data 
over  wide  geographic  areas. 

Firms  also  said  they’re  mov¬ 
ing  toward  internal  bunker 
data  centers  and  away  from 
third-party  recovery  service 
providers  such  as  SunGard 
Data  Systems  Inc.  and  IBM. 


The  companies  all  said  they 
want  to  spread  their  primary 
and  backup  data  centers  far¬ 
ther  apart  to  deal  with  region¬ 
al  power  outages.  “Having  the 
data  centers  five  miles  away  is 
not  going  to  be  good  enough,” 
Wollmen  said.  “They’d  like  to 
. . .  have  data  centers  farther 


CA  Shareholders  Back 
Management  on  Bonuses 


Money  paid  to 
former  executives 
won’t  be  revoked 

BY  STACEY  COWLEY 

Computer  Associates  Interna¬ 
tional  Inc.  avoided  a  revolt  at 
its  annual  meeting  last  week, 
when  shareholders  voted 
down  a  proposal  requesting 
that  the  company’s  board 
adopt  a  policy  of  revoking  ex¬ 
ecutive  bonuses  paid  based  on 
financial  results  that  are  later 
revised. 

Submitted  by  Amalgamated 
Bank  LongView  Collective  In¬ 
vestment  Fund,  the  proposal 
came  in  the  wake  of  an  ac¬ 
counting  scandal  that  devas¬ 
tated  CA’s  management  ranks 
and  forced  the  company  to  re¬ 
state  $2.2  billion  of  revenue. 

The  Amalgamated  Bank 
fund  cited  the  scandal  in  a  reg¬ 
ulatory  Filing  supporting  its 
proposal.  The  fund  took  issue 
with  the  millions  paid  to  exec¬ 
utives  —  specifically,  to  for¬ 
mer  CEO  Sanjay  Kumar,  who 
served  as  CA’s  president  and 
chief  operating  officer  at  the 
time  the  fraud  occurred  —  and 
with  CA’s  board’s  silence 
about  whether  it  will  attempt 


to  recoup  those  bonuses.  Not 
doing  so  would  be  “a  serious 
omission,”  the  fund  argued. 

At  the  meeting,  76%  of  votes 
cast  sided  with  CA,  which  op¬ 
posed  the  proposal. 

Unlike  recent  financial  scan¬ 
dals  at  other  companies,  CA’s 
didn’t  involve  fictitious  rev¬ 
enue.  Rather,  to  meet  the  ana¬ 
lyst  and  investor  expectations, 
the  company  prematurely  rec¬ 
ognized  sales  that  should  have 
been  booked  later.  Based  on  tar¬ 
gets  that  later  weren’t  met,  CA 
awarded  bonuses  to  top  sales 
and  management  executives. 


BY  LUCAS  MEARIAN 

EMC  Corp.  today  announced 
several  network-attached  stor¬ 
age  (NAS)  devices  that  can  be 
used  for  backing  up  servers 
over  Ethernet  using  Internet 
SCSI.  EMC  said  it  has  boosted 
the  performance  on  its  NAS 
devices  and  improved  ease 
of  use  of  its  graphical  user 
interfaces. 

Tony  Asaro,  an  analyst  at 
Enterprise  Strategy  Group 
Inc.,  said  the  revised  inter- 


Amalgamated  faced  long 
odds  on  winning  passage  of 
the  proposal.  A  small  number 
of  investors  hold  a  significant 
percentage  of  CA’s  shares  and 
traditionally  vote  with  the 
company’s  management. 

Also  at  CA’s  meeting,  com¬ 
pany  chairman  Lewis  Ranieri 
said  CA  is  considering  interim 
CEO  Kenneth  Cron  for  the 
permanent  spot.  Cron  initially 
said  he  wouldn’t  be  a  candi¬ 
date  in  the  company’s  CEO 
search. 

CA  is  unlikely  to  fill  its  CEO 
vacancy  before  it  resolves  the 
continuing  government  inves¬ 
tigation  of  its  accounting 
fraud.  The  company  has  now 
expelled  every  executive  im¬ 
plicated  in  the  fraud  as  well  as 


faces  make  the  NS  family  of 
NAS  servers  easy  to  manage, 
“even  for  nontechnical  users.” 

That  point  wasn’t  lost  on 
Lorie  Beam,  director  of  IT  at 
law  firm  Smith,  Anderson, 
Blount,  Dorsett,  Mitchell  & 
Jernigan  LLP  in  Raleigh,  N.C. 
“If  you  have  less  technical 
people,  but  you  have  a  need 
for  them  to  manage  things,  it 
certainly  helps,”  she  said. 

The  NAS  devices  are  certi¬ 
fied  as  iSCSI  targets  by  Micro- 


EMC  Unveils  NAS  Devices 


apart  and  still  be  able  to  do 
the  backups  and  not  lose  data. 
It’s  more  the  issue  of  you  want 
your  cake  and  eat  it  too.” 

One  idea  floated  by  the 
banks  in  conjunction  with 
longer-distance  replication  of 
data  was  to  share  physical  dis¬ 
aster  recovery  facilities  in  re¬ 
mote  locations,  which  would 
spread  out  the  cost  of  building 
and  running  hot  sites.  “But  the 
other  issue  is  that  you  have  so 
much  at  stake  in  these  large 
data  centers,”  Wollmen  said. 
“If  sharing  IT  increases,  then 
risk  would  be  a  concern.  So 
it’s  a  balancing  act  involving 
risk  and  cost.” 

The  FSTC  plans  to  meet 
again  on  Oct.  6  to  further  dis¬ 
cuss  disaster  recovery  initia¬ 
tives  needed  in  the  financial 
services  industry.  O  49106 


those  in  top  management  roles 
at  the  time  criminal  activity 
was  perpetrated,  but  it  re¬ 
mains  subject  to  fines  or  other 
sanctions  the  government  may 
impose  as  penalty  for  the  cor¬ 
porate  wrongdoing. 

Ranieri  said  he  is  continuing 
to  work  with  the  government 
toward  a  settlement.  Earlier 
this  year,  CA  offered  $10  mil¬ 
lion  to  settle  the  charges 
against  it,  but  the  company 
hasn’t  commented  on  the  gov¬ 
ernment’s  response  to  the  of¬ 
fer.  Ranieri  also  said  CA  is  re¬ 
viewing  the  issue  of  compen¬ 
sation  paid  to  “certain  offi¬ 
cers”  in  prior  years.  ©  49102 


Cowley  writes  for  the 
IDG  News  Service. 


soft  Corp.,  which  allows  ad¬ 
ministrators  to  consolidate 
their  servers  running  Micro¬ 
soft  server  products  and 
Linux. 

Asaro  lauded  EMC  for  its 
introduction  of  the  iSCSI  pro¬ 
tocol  on  its  boxes,  noting  that 
NAS  is  better  than  a  storage- 
area  network  for  certain  file¬ 
sharing  applications.  “And 
iSCSI  makes  sense  in  conjunc¬ 
tion  with  NAS  because  they 
both  use  the  same  Ethernet 
infrastructure,”  he  said,  “mak¬ 
ing  it  easy  to  install  and  cost- 
effective.”  ©  49100 


www.computerworld.com 


NEWS 


Washington  State  Ferries  Expands 
Wi-Fi  Service  for  Passenger  Use 


BY  BOB  BREWIN 

In  a  development  that  extends  wireless 
WAN  technology  beyond  fixed  loca¬ 
tions,  Washington  State  Ferries  plans 
to  offer  free  Wi-Fi  service  to  passen¬ 
gers  on  ferryboats  on  its  high-traffic 
Seattle-area  routes  this  fall. 

IT  director  Jim  Long  said  the  ferry 
system  recently  finished  testing  Wi-Fi 
service  on  the  M/V  Klickitat  on  the 
Port  Townsend-Keystone  route,  which 
connects  the  Olympic  Peninsula  to 
Whidbey  Island,  about  43  miles  north¬ 
west  of  Seattle.  Long  said  he  would 
eventually  like  to  have  all  25  boats  in 
the  fleet  connected  to  a  wireless  WAN 
that  treats  each  “individual  ferry  boat 
like  an  office  building”  hooked  up  to  a 
wired  WAN.  The  fleet  carries  26  mil¬ 
lion  passengers  per  year  between  20 
ports  of  call. 

That’s  exactly  what  Mobilisa  Inc., 
now  running  a  nearly  yearlong  test  of 
Wi-Fi  for  Washington  State  Ferries,  is 
delivering,  according  to  Nelson  Lud¬ 
low,  CEO  of  the  Port  Townsend-based 
company.  Mobilisa  has  installed  a  wire¬ 
less  WAN  that  treats  about  400  square 
miles  of  Puget  Sound  “like  one  big 
WAN,”  with  Wi-Fi  service  and  wireless 
connectivity  to  the  Internet  available 
on  ferryboats  operating  anywhere  in 
the  area.  The  Mobilisa  tests  are  being 
funded  by  a  $1  million  grant  from  the 
Federal  Transportation  Administration. 

Coverage  Configuration 

Ludlow  said  Mobilisa  has  installed  a 
two-stage  wireless  system  to  provide 
coverage  to  Washington  State  Ferries. 
The  first  stage  provides  connectivity 
from  the  shore  to  the  boats,  with  point- 
to-multipoint  wireless  gear  from  Sun¬ 
nyvale,  Calif.-based  Proxim  Corp.  oper¬ 
ating  in  the  unlicensed  5.8-GHz  band. 

Proxim’s  Tsunami  MPlla  system 
supports  mobile  roaming,  which  is  key 
to  ensuring  uninterrupted  connectivity 


from  the  boats  as  they  move  from  the 
coverage  area  of  the  fixed-link  wireless 
antennas  installed  on  one  side  of  a 
route  to  antennas  on  the  other  side.  The 
Port  Townsend-Keystone  run  doesn’t 
allow  line-of-sight  coverage,  so  it  re¬ 
quired  the  installation  of  two  antennas 
on  the  Keystone  side,  Ludlow  said. 

Mobilisa  also  had  to  develop  its  own 
switching  algorithms  for  the  handoffs 
between  the  fixed-wireless  shore  sta¬ 
tions,  so  the  signal  from  the  vessel 
could  bounce  from  one  shore  antenna 
to  another  throughout  its  run.  Ludlow 
said  Mobilisa  experienced  few  outages 
in  its  tests  with  the  Klickitat,  which  be¬ 
gan  in  April;  an  aircraft  carrier  blocked 
the  signal  on  one  day. 

The  Proxim  equipment  on  the  boats 
connects  to  BeaconPoint  Wi-Fi  access 
points  from  Chantry  Networks  Inc.  in 
Waltham,  Mass.  The  BeaconPoints  of¬ 
fer  Wi-Fi  connections  using  the  802.11a 
standard,  which  operates  in  the  5-GHz 
unlicensed  band,  and  the  802.11b/g 
standards,  which  use  the  2.4-GHz  band. 

Mobilisa  has  also  outfitted  the  ferry 
docks  with  Wi-Fi  BeaconPoints,  allow¬ 
ing  passengers  to  use  the  service  while 
waiting  for  a  boat.  The  Port  Townsend 
access  point  also  covers  restaurants 
near  the  ferry  dock,  Ludlow  said. 

The  BeaconPoints  are  hooked  into 
Chantry’s  BeaconMaster  wireless 
switch,  which  allows  Mobilisa  to  con¬ 
trol  all  the  BeaconPoints  on  all  the 
boats  from  the  Mobilisa  network  oper¬ 
ations  center  in  Port  Townsend. 

The  BeaconMaster  130,  priced  at 
$12,995,  is  a  Layer  3  switch  that  allows 
passengers  to  roam  from  dock  to  boat 
and  to  the  dock  again  without  initiat¬ 
ing  a  new  Wi-Fi  session,  said  Luc  Roy, 
senior  director  of  product  marketing 
and  management  at  Chantry. 

The  ferry  system  plans  to  issue  a  re¬ 
quest  for  bids  on  a  ferrywide  system 
once  the  trials  end  next  March,  Long 
said.  Because  of  the  infrastructure 
costs  involved,  he  said  he  expects  any 
permanent  Wi-Fi  system 
to  be  fee-based. 

Although  the  trial  is 
focused  on  providing 
Wi-Fi  service,  Long  said 
he  anticipates  using  the 
network  to  support 
crews,  including  provid¬ 
ing  them  with  wireless 
voice-over-IP  phone 
service,  since  cellular 
coverage  for  the  boats 
is  spotty.  O  49055 


Get  your  FREE  book  and  learn  how  your  company 
can  manage  the  startling  growth  in  email 
volume — and  withstand  the  massive  flood  of  spam,  viruses 
and  fraud  that  threaten  your  email  communication  system. 

To  order  your  free  copy  of 
GET  THE  MESSAGE: 

A  Business  Guide  to  Surviving  the  Email  Security  Crisis, 
visit  www.ironport.com/book  or  call  toll  free  866.882.8658 


IRONPORT 


Rebuilding  the  World’s  Email  Infrastructure 


iO  CO^PUTERWORLD  August  30, 2004 


OPINION 


www.compulerworld.com 


MARYFRAN  JOHNSON 


DAN  GILLMOR 


Open-Source  Obligations 


OMEONE  in  the  open-source  community 
should  send  a  nice  bottle  of  champagne 
to  Charlie  Ward,  manager  of  technical  ar¬ 
chitecture  at  Duke  Power.  What’s  worth 
celebrating?  The  way  Ward  and  his  crew 
of  developers  poured  1,000  hours  into  building  a 
framework  to  support  application  development  on 
Microsoft’s  .Net  technology,  then  turned  their  work 


over  to  the  open-source 
community  (“Utility  to 
Make  IT  Framework 
Open-Source,”  Quick- 
Link  48960). 

What  made  this  front¬ 
page  news  for  us  last 
week  was  the  significant 
size,  relative  rarity  and 
potential  impact  of  this 
corporate  embrace  of 
open-source.  It’s  one 
thing  for  developers  to 
turn  over  a  few  sanc¬ 
tioned  pieces  of  corporate  code  to 
their  open-source  playmates.  It’s 
quite  another  for  a  major  utility  to 
throw  open  the  doors  to  the  results 
of  a  costly,  complex  software  project. 

Open-source  just  climbed  up  an¬ 
other  rung  on  the  enterprise  ladder. 

“This  is  somewhat  of  an  experi¬ 
ment  to  see  how  much  value  can  be 
gained  from  the  open-source  com¬ 
munity,”  Ward  said.  Building  a 
framework  for  application  develop¬ 
ment  doesn’t  give  an  energy  compa¬ 
ny  any  particular  competitive  advan¬ 
tage,  he  observed,  but  getting  contin¬ 
ued  support  and  improvements  do¬ 
nated  by  a  dedicated  community  of 
developers  is  clearly  a  benefit. 

The  appeal  of  open-source  is 
rolling  rapidly  across  the  corporate 
landscape.  More  than  60%  of  140 
companies  surveyed  this  spring  by 
Forrester  Research  said  they  were 
either  using  or  planning  to  use  open- 
source  products  —  everything  from 
databases  and  development  tools  to 
Web  servers  and  desktop  software. 
And  now  the  feds  are  officially  en¬ 
couraging  open-source  adoption 
across  all  government  agencies. 


MARYFRAN  JOHNSON  is 

editor  in  chief  of  Comput- 
erworld.  You  can  contact 

her  at  maryfran Johnson® 
computerworid.com. 


“Open-source  is  just 
a  more  efficient,  effective 
software  business  mod¬ 
el,”  says  John  Roberts, 
founder  of  SugarCRM, 
one  of  the  first  open- 
source  business  applica¬ 
tion  companies  to  attract 
venture  funding.  “It’s 
more  than  just  cheaper 
software.  It’s  a  shift,  a 
movement  reshaping  the 
dynamics  of  a  modern 
software  company.” 

I  think  he’s  right  about  those  fun¬ 
damental  shifts,  which  are  also 
changing  —  and  further  complicat¬ 
ing  —  the  landscape  of  software  li¬ 
censing.  For  example,  even  at  com¬ 
panies  where  open-source  products 
aren’t  in  evidence  yet,  the  lines  of  re¬ 
sponsibility  are  blurring  as  vendors 
fold  portions  of  open-source  code 
into  their  own  proprietary  products. 


One  CTO  I  spoke  with  last  week 
had  just  encountered  a  novel  situa¬ 
tion  with  a  new  software  package 
from  a  major  vendor.  His  developers 
found  a  flaw  in  the  code  and  alerted 
the  vendor,  which  denied  responsibil¬ 
ity,  saying  that  the  piece  of  code  con¬ 
taining  the  flaw  was  open-source. 
The  customer  argued  for  the  fix  and 
ultimately  got  it  —  but  the  experience 
raised  a  red  flag  for  the  CTO. 

It  should  do  the  same  for  you.  IT 
executives  need  to  educate  them¬ 
selves  about  the  rights  and  obliga¬ 
tions  involved  in  open-source  — 
even  if  it’s  not  in-house  yet. 

“What  you  need  to  look  out  for  is 
what  you  give  up”  as  well  as  what 
you  gain  in  an  open-source  licensing 
agreement,  says  Larry  Rosen,  author 
of  Open  Source  Licensing:  Software 
Freedom  and  Intellectual  Property 
Law  (see  “No  Free  Lunch,”  Quick- 
Link  48482).  If  you  choose  to  share 
your  open-source  development  with 
other  companies,  for  example,  you 
may  be  obligated  to  use  the  same  li¬ 
cense  with  everyone. 

It  will  be  fascinating  to  watch  how 
Duke  Power  proceeds  with  its  open- 
source  experiment,  its  licensing 
arrangements  and  the  business  value 
that  comes  from  it.  Here’s  hoping  it’ll 
be  worth  another  bottle  of  cham¬ 
pagne.  ©  49072 


Microsoft 
Security’s 
Weak  Link 

WINDOWS  XP  Ser¬ 
vice  Pack  2  is  now 
making  its  way  onto 
computers.  This  major  update 

is  a  step  forward  for  a  company  that 
has  had  an  abysmal  record  on  security, 
and  we  should  be  happy  for  that  much. 

But  it’s  only  one  overdue  action. 
Users  should  also  install  more  capable 
firewalls,  antivirus  software  and  anti¬ 
spyware  applications.  But  the  service 
pack  also  reminds  us  of  a  situation 
that  Microsoft  has  never  properly  ad¬ 
dressed:  the  retail/computer  security 
problem. 

If  you  buy  a  new  Windows  PC  for 
your  home  and  hook  it  up  to  a  DSL 
service  or  a  cable-modem  line  without 
first  installing  a  hard¬ 
ware  or  software  fire¬ 
wall,  your  computer 
could  well  be  com¬ 
promised  by  hackers 
before  you’ve  even 
had  time  to  install 
Microsoft’s  “critical” 
security  updates. 

The  PC  may  be 
turned  into  a  spam¬ 
mer’s  toy,  a  zombie 
spewing  thousands 
of  mail  messages  per 
day,  some  of  which 
could  clog  corporate 
networks.  Or,  worse, 
it  may  now  have  a 
keystroke  logger  in  place,  snarfing  up 
personal  and  corporate  log-ons  and 
passwords  and  sending  them  who 
knows  where. 

This  is  a  clear  and  present  danger 
to  corporate  networks.  If  an  infected 
home  PC  gets  connected  to  the  corp¬ 
orate  network,  via  a  VPN  or  other 
means,  all  the  work  IT  does  internally 
to  keep  things  safe  could  be  wrecked. 

Yet  this  is  reality.  Why?  Because 
Microsoft  doesn’t  require  computer 
makers  and  retailers  to  sell  their  PCs 
with  totally  updated  operating  sys¬ 
tems.  The  computers  likely  will  have 
XP  with  the  most  recent  service  pack, 
but  no  subsequent  updates. 

The  same  is  true  if  you  buy  the  Win¬ 
dows  XP  software  by  itself,  in  the  box. 
It,  too,  will  probably  need  updating  to 


DAN  0ILLM0R  Is  a  COlum- 
nist  at  the  San  Jose 
Mercury  News  and 
author  of  We  the  Media: 
Grassroots  Journalism 
by  the  People,  for 
the  People. 
Contact  him  at 
dgillmor@sjmercury.com. 


www.computerworld.com 


OPINION 


COMPUTERWORLD  August  30, 2004 


17 


be  even  remotely  safe.  In  other  words, 
despite  monopoly  profits  and  legions 
of  talented  programmers,  Microsoft 
continues  to  allow  retail  versions  of 
Windows  to  go  out  the  door  with 
known  defects.  Why? 

Yes,  there  are  complications  in  the 
retail  channel.  Microsoft  and  the  man¬ 
ufacturers  would  have  to  put  in  a  great 
deal  more  effort,  and  some  added  ex¬ 
pense,  to  do  the  right  thing.  Given  the 
wafer-thin  margins  in  PC  retailing,  you 
can’t  expect  the  manufacturers  or  re¬ 
tailers  to  voluntarily  take  this  on. 

That’s  why  Microsoft  should  step  in 
and  do  it  for  them. 

At  last  count,  Microsoft  had  more 
than  $50  billion  in  cash.  It  plans  to  give 
some  of  that  back  to  shareholders. 

Fine.  But  how  about  using  some  of  it  to 
make  sure  that  computers  sold  at  retail 
have  the  latest  update  of  the  operating 
system,  with  the  firewall  turned  on? 

Microsoft  will  never  do  that  volun¬ 
tarily.  Its  track  record  shows  it  to  be  a 
company  that  offloads  as  many  costs  as 
possible  onto  captive  manufacturing 
“partners”  that  have  no  alternatives. 

The  logical  people  to  intervene  in 
this  situation  are  state  and  federal  con¬ 
sumer-protection  officials.  They’d  nev¬ 
er  allow  auto  companies  to  sell  cars 
with  serious  known  defects.  Why  do 
they  permit  Microsoft  and  the  PC  mak¬ 
ers  to  do  so? 

IT  should  be  yelling  from  the  roof¬ 
tops  about  this.  The  situation  is  getting 
better  only  at  the  margins,  and  that’s 
not  nearly  good  enough.  ©  48990 

PIMM  FOX 

Keeping  the 
Skies  Safe 
From  Teddy 

WHATEVER  your  po¬ 
litical  stripes,  you 
would  probably 

agree  that  Sen.  Edward  Ken¬ 
nedy  (D-Mass.)  is  not  a  terrorist. 

But  when  he  tried  to  board  a  US  Air¬ 
ways  flight  at  Reagan  National  Airport 
near  Washington  this  past  spring,  he 
was  stopped  because  his  name  ap¬ 
peared  on  the  government’s  secret 
“no-fly”  list. 

This  database  is  supposed  to  be  one 
of  the  many  weapons  in  the  country’s 
fight  against  terrorism.  And  although 
the  list  hasn’t  led  to  any  arrests,  it  has 
caused  approximately  350  U.S.  citizens 


to  either  be  delayed  or  de¬ 
nied  the  right  to  travel.  The 
FBI  won’t  reveal  who  is  on 
the  list,  which  is  maintained 
by  the  Transportation 
Security  Administration,  a 
branch  of  the  U.S.  Depart¬ 
ment  of  Homeland  Security, 
which  is  run  by  Tom  Ridge. 

After  that  first  incident, 

Kennedy,  who  you’d  think  is 
recognizable,  was  stopped 
repeatedly,  even  after  his 
aides  called  the  TSA  to  clar¬ 
ify  the  matter. 

His  name  was  removed  from  the  list 
only  after  he  personally  phoned  Ridge. 

The  reason  Kennedy  was  on  the  list 
in  the  first  place?  Apparently,  the  name 
“T.  Kennedy”  has  been  used  by  a  sus¬ 
pected  terrorist  as  an  alias. 

Is  that  all  it  takes? 

Is  this  the  level  of  sophisticated 
technology  being  deployed  to  fight  the 
war  on  terror?  You  might  as  well  digi¬ 
tize  the  phone  book. 

Of  course,  the  airline  says  it’s  the 
TSA’s  problem,  and  TSA  officials  say 
they’re  just  doing  their  job  and  that 
glitches  —  well,  they  just  happen.  And, 


yes,  they’re  going  to  get  a 
bigger,  better  system. 

And  while  the  govern¬ 
ment  says  the  TSA  will  is¬ 
sue  a  letter  for  those  who 
are  mistakenly  on  the  list, 
how  will  you  know  you 
need  the  letter  unless 
you’re  stopped  at  some  air¬ 
port  or  border  crossing? 

I  have  an  English  friend 
who  possesses  a  valid  U.S. 
green  card  and  has  worked 
legally  in  the  U.S.  for  years. 
A  technology  professional  who  regu¬ 
larly  travels  from  London  to  Seattle,  he 
was  stopped  by  U.S.  immigration  offi¬ 
cials  because  he  had  a  U.K.  address  on 
one  of  his  documents.  When  he  tried 
to  explain  that  he  goes  back  and  forth 
on  business,  he  was  ushered  into  a 
small  room  and  grilled  by  officers,  who 
made  it  clear  that  they  didn’t  believe  a 
word  of  what  he  was  saying. 

Finally,  after  a  rather  nerve-rattling 
experience,  a  supervisor  was  called  to 
the  scene,  inspected  the  documents 
and  let  my  friend  proceed. 

Technology  is  often  touted  as  savior 
or  scoundrel  when  it  comes  to  big  gov¬ 


ernment  projects.  The  government  is 
spending  boatloads  of  borrowed  cash 
to  install  massive  databases  designed 
to  link  all  sorts  of  lists,  from  tallies  of 
delinquent  student  loans  or  driver’s  li¬ 
censes  to  flight  manifests.  It’s  an  inter¬ 
esting  idea  to  build  a  web  of  interlock¬ 
ing  information  to  trap  terrorists.  But 
the  execution  is  a  direct  contradiction 
to  the  openness,  freedom  and  common 
sense  that  characterizes  civil  society. 

The  moral  of  this  story  isn’t  that 
technology  is  the  culprit.  Using  IT  to 
make  the  government  more  efficient, 
more  transparent  and  more  accessible 
to  more  people  is  a  liberating  and  pow¬ 
erful  concept.  Every  day,  individuals 
click  through  the  business  of  renewing 
driver’s  licenses,  e-mailing  elected  offi¬ 
cials  or  checking  on  government  pro¬ 
grams,  using  the  sublime  magic  of  the 
microchip. 

But  technology  that’s  misused  is  a 
problem.  The  no-fly  list  is  a  no-win  in 
the  fight  against  terror.  ©  48972 


OMore  columnists  and  links  to  archives  of  previous 
columns  are  on  our  Web  site: 

www.computerworld.com/columns 


pimm  fox  is  a  London- 
based  journalist. 
Contact  him  at 

pimmfox@pacbell.net. 


READERS’  LETTERS 


Critics  Fire  Back  at  ITAA  Over  E-voting 


According  to  the  article  “ITAA 
Fires  Back  at  Critics  of  E-vot¬ 
ing”  [QuickLink  48210],  a  recent 
survey  by  the  Information  Technolo¬ 
gy  Association  of  America  showed 
“that  77%  of  registered  voters  are 
unconcerned  about  the  security  of 
e-voting  systems,”  and  ITAA  Presi¬ 
dent  Harris  Miller  believes  that  “crit¬ 
ics  who  claim  to  be  concerned 
about  the  security  of  e-voting  sys¬ 
tems  are  really  using  the  issue  to 
push  a  political  agenda  on  behalf  of 
the  open-source  community." 

I'm  pretty  sure  those  same  77% 
of  registered  voters  aren’t  concerned 
about  the  security  of  their  home  PCs, 
given  the  widespread  problem  of 
worms,  viruses  and  spyware. 

If  asking  proponents  of  open- 
source  software  to  comment  on  the 
security  of  electronic  voting  sys¬ 
tems  is,  as  Miller  says,  “like  asking  a 
bunch  of  clergymen  what  they  think 
of  premarital  sex,”  then  asking  end 
users  about  computer  security  is 
like  asking  a  bunch  of  prostitutes 
what  they  think  of  family  values. 

Joe  Sestirich 
LAN  administrator, 

Pittsburgh 


WORK  IN  THE  IT  section  of  a 
bank,  and  if  we  were  to  go  about 
our  normal  operations  without  any 
hard-copy  audit  trails,  the  federal 
government  would  shut  us  down  in 
a  heartbeat.  How  is  it  that  some¬ 
thing  as  important  as  selecting  the 
man  who  will  run  and  represent  our 
country  doesn’t  warrant  the  same 
scrutiny  as  processing  our  money? 
Frank  Thomas 
Pittsburgh, 

fthomas@comcast.net 

The  ITAA’S  views  and  statistics 
are  a  smokescreen.  This  e-vot- 
ing  issue  has  nothing  to  do  with 
open-source  vs.  proprietary,  and  all 
to  do  with  reliability,  security  and 
auditability.  I  belong  to  an  e-voting 
watchdog  group  in  North  Carolina, 
and  I  would  say  90%  of  the  mem¬ 
bers  have  no  idea  what  open-source 
is.  They  just  want  a  verifiable  election. 
Jim  Franz 

Programmer,  Greensboro,  N.C. 

THE  ITAA’S  statement  is  ridicu¬ 
lous!  Did  the  survey  respon¬ 
dents  know  what  “security  of  e-vot- 
ing  systems"  means?  This  is  a  world 


where  95%  of  the  people  cannot 
program  their  VCRs.  My  guess  is 
that  most  voters  would  think  a  po¬ 
liceman  at  the  polling  place  consti¬ 
tutes  good  security  for  the  e-voting 
systems.  Read  Computerworld'^, 
Shark  Tank  to  get  a  better  under¬ 
standing  of  the  level  of  computer 
knowledge  out  there. 

S.  Duffy 

Senior  system  analyst, 
Minneapolis 

IF  E-VOTING  is  as  flawed  as  the 
logic  in  Harris  Miller's  justification, 
then  we  need  to  bury  the  idea  im¬ 
mediately.  The  percentage  of  peo¬ 
ple  uninformed  about  an  issue  does 
nothing  to  condemn  or  defend  it. 
Chuck  Hinkle 
Houston 

Many  people  I  have  known  in 
my  27  years  in  the  industry 
have  no  clue  about  what  a  secure 
computer  system  involves.  I’ve  even 
had  a  conversation  with  someone 
who  writes  software  for  the  Internet 
as  a  profession  who  believes  that 
simply  restricting  traffic  to  Port  80 
will  keep  your  server  safe. 

If  77%  of  registered  voters  be¬ 
gan  to  keep  up  with  the  security 


patches  on  their  PCs,  stopped 
opening  e-mails  and  executing  at¬ 
tachments  from  unknown  sources, 
then  maybe  I  would  begin  to  trust 
their  opinion  on  a  secure  computer 
system.  Until  then,  the  issue  is  not 
open-source  vs.  propriety  software; 
it’s  about  the  ability  to  audit  the  sys¬ 
tem.  Until  major  strides  are  made  in 
computer  security,  including  getting 
rid  of  unethical  people  from  the 
computer  profession,  a  paper  trail 
will  be  a  requirement  to  guarantee 
the  accuracy  of  a  voting  system. 
Michael  Quigley 
Systems  analyst/ 
programming  coordinator, 

New  Knoxville,  Ohio 

COMPUTERWORLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  clarity. 
They  should  be  addressed  to  Jamie 
Eckle,  letters  editor,  Computerworld, 
P0  Box  9171, 500  Old  Connecticut 
Path,  Framingham,  Mass.  01701. 
Fax:(508)879-4843. 

E-mail:  letters@computerworld.com. 
Include  an  address  and  phone  num¬ 
ber  for  immediate  verification. 

OFor  more  letters  on  these  and 
other  topics,  go  to 

www.computerworld.com/letters 


Double  your  productivity  with  Scan2  technology. 


The  best  way  to  stay  ahead  is  to  double 
your  productivity.  Introducing  Scan2 
SCSI!2  technology  from  Sharp.  Sharp's  Digital 
Imagers  with  Scan2  technology  are  designed  to  scan  two- 
sided  documents  in  a  single  pass. 

Now  your  training  manuals  and  white  papers  can  be 
scanned,  copied,  emailed  and  digitally  distributed  quicker 
than  ever  before. 


In  fact,  it's  1 1 5%  faster  than  any  other  product  in  its  class. 
Not  only  is  it  like  having  double  the  help,  it  will  also  allow 
you  to  accomplish  more  tasks,  in  dramatically  less  time. 
Together  with  Sharp's  integrated  network  management 
software  and  security  features,  your  digital  information  is 
safe  and  workflow  is  fully  optimized. 

Visit  sharpusa.com/scan2  or  call  1-800-BE-SHARP  for 
more  information. 


The  AR-M550,  AR-M620  and  AR-M700: 

•  Operate  at  55,  62  and  70  pages-per-minute 

.  Fully  integrated  network  ready  digital  copier/printers 

•  Include  network  management  software  and  document  filing  capability 


be  sharp 


•  Results  ot  l 
Toshiba  e*! 


if  ' Inc  r .  ument  Feeding  Speed  tests  (originals  per  minute)  in  22  mode  for  Sharp  AR-M550  vs.  the  following  manufacturers’  competitive  models:  Canon  iR  5000  and  5020,  HP  9055  MFP,  Konica  7155,  Kyocera  Mita  KM-5530,  Ricoh  Aficio  1055  and  551,  and 

©2003  Sharp  Corporation 


£*  HARk 

hn  A,  S.tu  y«. 


SCW  SPEEDS* 


3T  3 


to  of 

1 

too 
0  o 


Id  T 


C.O«?£TlTlON  JHAKr  AP-MSSO 


PRODUCT  IV  IT 'f' 
RELIABILITY* 

CTAN 


pgagMMHi 


08.30.04 


Directory  Assistance 

Virtual  directories  provide  applica¬ 
tions  with  a  single  point  of  access 
to  user  data  when  the  information 
requested  is  located  in  more  than 
one  directory.  Page  24 


QUICKSTUDY 

Fuzzy  Logic 

While  Boolean  logic  solves  problems 
with  a  binary,  yes-or-no  answer, 
fuzzy  logic  solves  problems  when 
data  is  vague  or  imprecise.  Page  26 


SECURITY  MANAGER’S  JOURNAL 

Company  Secrets  Hit  the  Exits 

Mathias  Thurman  discovers  that  a  lax  policy 
has  allowed  executives  who  are  leaving  his 
company  to  depart  with  laptops  loaded  with 
sensitive  e-mail,  applications  and  data.  Page  27 


ORGANIZED 


NUDES 


CYBERSPACE 


-  * 

;W-‘  Jt*.  Jr •  - ' _ 

Once  the  work  of  vandals,  viruses  and  other  malware  are  now 
being  launched  by  criminals  looking  for  profits.  BY  DAN  VERTON 


Antivirus  researchers  have 
uncovered  a  startling  increase 
in  organized  virus-  and  worm¬ 
writing  activity  that  they  say  is 
powering  an  underground  economy 
specializing  in  identity  theft  and  spam. 

“The  July  outbreak  of  MyDoom.O 
was  yet  another  reminder  that  spam¬ 
mers  are  now  using  sophisticated, 
blended  threats  that  mix  spam,  viruses 
and  denial-of-service  attacks,”  accord¬ 
ing  to  Andrew  Lochart,  director  of 


product  marketing  at  Postini  Inc.,  an 
e-mail  security  services  provider  in 
Redwood  City,  Calif.  In  July  alone, 
Postini’s  customers  reported  more 
than  16  million  directory  harvest  at¬ 
tacks,  which  are  attempts  by  spam¬ 
mers  to  hijack  a  company’s  entire 
e-mail  directory. 

The  link  between  viruses,  worms 
and  the  underground  criminal  econo¬ 
my,  however,  goes  back  to  long  before 
the  latest  version  of  MyDoom,  says 


Mikko  Hypponen,  antivirus  research 
director  at  F-Secure  Corp.  in  Helsinki, 
Finland.  Starting  with  the  initial  out¬ 
break  of  MyDoom  in  January,  Hyppo¬ 
nen  began  to  notice  that  what  had  pre¬ 
viously  been  considered  little  more 
than  a  rogue  virus-writing  subculture 
actually  had  a  significant  link  to  orga¬ 
nized  efforts  to  use  malicious  code  to 
make  money. 

“MyDoom  got  press  coverage  be¬ 
cause  of  the  denial-of-service  attack  it 


launched  against  SCO  and  Microsoft 
Corp.,”  says  Hypponen.  “But  nobody 
was  paying  attention  to  what  was  hap¬ 
pening  behind  the  scenes.” 

And  what  was  happening,  according 
to  Hypponen,  was  the  beginning  of  a 
concerted,  unabashed  effort  to  turn 
virus  and  worm  infections  into  cash. 

Eight  days  after  MyDoom.A  hit  the 
Internet,  somebody  scanned  millions 
of  IP  addresses  looking  for  the  back 

Continued  on  page  22 


1 


The  ultra  reliable  IBM  eServer  xSeries  365  system  -  with  powerful  Intel®  Xeon™  processors  -  can  make  your  work,  and 
IT  selection  process,  easier.  With  three  levels  of  memory  protection  and  a  comprehensive  monitoring  of  key  components,  it’s 
all  about  uptime.  So  you  get  outstanding  reliability  when  running  mission-critical  ERP,  collaboration  and  database  applications. 
The  works.  Management  is  easier,  too.  You  can  have  around-the-clock  remote  access,  on  demand.  And  system  status  can  be 
available  even  when  powered  off.  For  more  on  highly  available,  manageable  xSeries  servers,  go  to  ibm.com/eserver/advantage 


5  reasons  more  and  more  businesses  are  turning  to  IBM  eServer ™  xSeries  systems  with  Intel  Xeon  processors. 


Scale  1-16  way  with  select 

IBM  Director  systems 

Linux-ready  through 

Mainframe-inspired 

24/7/365  optional  onsite 

models.  Pay  as  you  grow. 

management. 

the  entire  line. 

technologies. 

hardware  support.1 

(e)  server 


The  easy  choice.  Dependability. 
IBM  eServer  xSeries  365  system. 


'Additional  charges  apply.  Standard  support  includes  next-business-day  response  in  some  countries.  IBM.  the  e-business  logo,  eServer,  the  eServer  logo  and  xSeries  are  trademarks  or  registered  trademarks  ot  International 
Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Intel.  Intel  Inside,  the  Intel  Inside  logo  and  Intel  Xeon  are  trademarks  or  registered  trademarks  ol  Intel  Corporation  or  its  subsidiaries  in  the 
United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  others.  C  2004  IBM  Corporation.  All  rights  reserved. 


>  »wt  orlc»  on  tbm  NtTl 


OEM-CD 


HOME 

> 

SHIPPING 

> 

DISCOUNTS 

> 

TESTIMONIAL 

> 

FAQ 

> 

•  Shipping 

Wo  ship  by  intomotiontl  airmail 
froo  of  chorgo.  Tbo  tim*  of 
delivery  depends  on  your 
location.  Usually  it  toko*  2-4 
weeks  when  you  select  our  free 
shipping  option. 

Please  be  patient  when  waiting 
Cor  on  or  dor  to  come  in.  Delivery 
con  toko  up  to  6  weeks  rn  stmt 
CIMi. 


KrtirW'"  I 


Mkroeeft  Wmiow*  XP 
PttfHtwul  2W2 

am«  Ph«t»«H«p 

HkivmH  Offke  XP 

•  $39.95 

•  $59.95 

•  $59.95 

Retail  price;  $27«.*$ 

•  Retail  price* 

R«t*il  price:  $57$.$$ 

Our  low  Pricei  *3t.«3 

•  Our  low  Price' 

•  j  Our  low  Price: 

You  Save: 

You  Save  $$$• 

*j  You  Save 

°"TNO 

Organized  virus  writers  use  viruses  and  worms  to  create  spam  that  leads  unsuspecting  users 
to  fake  online  banks  or  Web  sites,  such  as  this  one,  that  exist  only  to  steal  identities. 


Continued  from  page  19 
door  left  by  the  worm,  said  Hypponen. 
The  attackers  searched  for  systems 
with  a  Trojan  horse  called  Mitglieder 
installed  and  then  used  those  systems 
as  their  spam  engines.  As  a  result,  mil¬ 
lions  of  computers  across  the  Internet 
were  now  for  sale  to  the  underground 
spam  community. 

Of  course,  spamming  viruses  aren’t 
new.  Security  professionals  have  been 
dealing  with  them  for  years.  However, 
the  appearance  of  MyDoom  and  more 
recent  viruses  and  worms  signaled  the 
beginning  of  much  larger  problems, 
says  Hypponen. 

By  the  end  of  January,  Internet  users 
were  busy  dealing  with  the  Bagle  mass 
mailer.  And  although  the  first  version 
wasn’t  particularly  successful,  at  least 
a  dozen  variants  soon  followed,  includ¬ 
ing  variants  that  carried  Mitglieder. 

But  the  real  clues  that  organized 
gangs  were  using  Bagle  and  MyDoom 
to  sell  spam  proxies  —  as  well  as  links 
to  phony  Web  sites  that  exist  only  to 
harvest  identities  and  personal  finan¬ 
cial  information  —  came  when  the 
writer  behind  Netsky.R  posed  a  direct 
challenge  to  the  so-called  professional 
virus  writers. 

In  addition  to  attempting  to  remove 
Bagle  and  MyDoom  from  infected 
computers,  Netsky  conducted  a  denial- 
of-service  attack  against  Web  sites 
known  to  be  fronts  for  identity  thieves, 
according  to  Hypponen. 

When  F-Secure  analysts  decoded  the 
encrypted  messages  hidden  within  a 
subsequent  version  of  Bagle  (Bagle.J), 
they  discovered  a  threat  of  a  virus  war 
if  the  Netsky  author  continued  to 
“ruin”  the  “business”  of  the  profession¬ 
al  virus  writers. 

“We  have  information  that  the  writ¬ 
ers  of  both  MyDoom  and  Bagle  may  be 
Russian  immigrants  living  in  various 
European  countries,”  says  Hypponen. 

Whoever  is  behind  it,  they  are  orga¬ 
nized  and  running  a  thriving  business, 
says  Hypponen. 

Brian  Dunphy,  director  of  global 
analysis  operations  at  Symantec 
Corp.’s  Security  Operations  Center  in 
Alexandria,  Va.,  acknowledges  that  it’s 
difficult  to  discern  the  intent  behind 
many  viruses  and  worms  in  the  wild. 

In  addition  to  planting  back  doors, 
some  worms,  such  as  the  latest  My¬ 
Doom  variant,  have  embedded  peer- 
to-peer  updating  capabilities,  he  says. 

“What  we  used  to  see  are  worms 
and  viruses  that  did  not  have  a  reach- 
back-and-call-home  capability,”  says 
Dunphy.  “What  we  saw  with  MyDoom, 
however,  was  that  infected  systems 
were  aware  of  other  infected  systems, 


and  they  automatically  built  a  peer-to- 
peer  network  of  sorts.” 

In  fact,  Symantec’s  analysis  of  the  re¬ 
cent  MyDoom.M  outbreak  discovered 
a  mechanism  that’s  used  to  maintain  a 
list  of  all  known  infected  systems  and 
permits  the  worm’s  author  to  update 
all  MyDoom.M-infected  systems  with 
new  arbitrary  malicious  code  with  lit¬ 
tle  risk  of  its  network  being  hijacked 
by  rival  worm  authors,  says  Alfred 
Huger,  senior  director  of  Symantec 
Security  Response. 

In  addition  to  propagating  spam 
proxies  and  setting  up  peer-to-peer 
networks,  viruses  and  worms  are  being 
used  to  install  Web  servers  on  vulnera¬ 
ble  systems.  Those  Web  servers  are 
then  used  to  host  everything  from 
pornography  and  pirated  software 


SIGNS  OF  THE 

UNDERGROUND 

ECONOMY 

A  massive  underground  community 
is  engaging  in  online  theft. 

Windows  machines  are  infected 
with  viruses,  then  turned  into  prox¬ 
ies,  Web  servers  or  attack  networks. 

Lists  of  such  servers  are  being 
sold  and  bought  online. 

Credit  card  databases  are  being 
sold  and  bought. 

EBay,  PayPal  and  E-gold  accounts 
are  being  sold  and  bought. 

Hacked  servers  are  being 
sold  and  bought. 

Distributed  denial-of-service  attack 
networks  are  being  sold  and  bought. 


sites  to  fake  banks,  Hugos  says. 

Underground  bartering  and  selling 
is  conducted  on  Web  sites  such  as  a 
Russian  site  that,  among  other  things, 
sells  subscription  services  to  compro¬ 
mised  computers. 

Various  other  Russian  and  Chinese 
message  boards  exist  for  the  sole  pur¬ 
pose  of  selling  spam  hosts.  Accepted 
payment  methods,  shown  clearly  on 
the  Web  pages,  include  E-gold  trans¬ 
actions  and  WebMoney  and  Western 
Union  money  transfers.  Ironically, 
organized  e-criminals  don’t  accept 
credit  cards. 

For  Sale:  Your  ID 

Viruses  and  worms  carrying  Trojan 
horse  code  are  also  powering  massive 
identity  theft  rings. 

At  sites  like  www.oemcd.biz,  www. 
mega-oem.biz,  http://huge-sales.info 
and  www.atlantictrustbank.com, 
among  hundreds  of  others,  users  are 
presented  with  the  opportunity  to  buy 
popular  software  at  tremendous  dis¬ 
counts,  sometimes  at  one-tenth  the  re¬ 
tail  price.  And  while  these  sites  look 
authentic,  Hypponen  offers  a  word  of 
caution. 

“The  one  thing  all  of  these  sites  have 
in  common  is  that  none  of  them  exist,” 
he  says.  “If  you  buy  something  from 
them,  you’ll  get  nothing,  and  they  will 
never  charge  your  credit  card.  But 
what  they  will  do  is  steal  your  identi¬ 
ty.”  In  fact,  identities  and  bulk  credit 
card  “dumps”  are  available  to  the  high¬ 
est  bidder  at  some  sites. 

Tracking  down  virus  writers  and 
other  online  criminals  can  be  more 
difficult  than  anybody  ever  imagined. 
It’s  particularly  difficult  in  the  case  of 
fraudulent  domain-hosting  schemes, 


which  often  use  IP  addresses  that  ex¬ 
pire  every  two  minutes,  Hypponen 
says. 

“If  you  refresh  these  sites,  the  do¬ 
main  name  points  to  a  different  IP  ad¬ 
dress  every  two  minutes,”  he  explains. 
“And  then  if  you  look  at  the  IP  address¬ 
es,  you’ll  see  that  they  are  in  places  like 
Japan,  Portugal,  Brazil,  Canada  and 
elsewhere.” 

Hackers  and  malicious-code  writers 
are  increasingly  automating  the  Inter¬ 
net  shell  game  that  keeps  many  of 
them  one  step  ahead  of  law  enforce¬ 
ment.  The  Kuwaiti  hacker  group 
Q8See  is  a  case  in  point. 

On  March  8,  a  Russian  source  re¬ 
ported  to  F-Secure  analysts  the  exis¬ 
tence  of  a  Trojan  horse  created  by 
Q8See  called  Slacke.  But  what  made 
Slacke  unique  was  the  extraordinary 
lengths  to  which  its  authors  went  to 
hide  their  tracks  and  the  mystery  that 
remains  about  the  group’s  intent. 

First,  the  worm  downloaded  code 
from  a  Web  site  hosted  in  Sao  Tome 
and  Principe,  a  small  island  nation  lo¬ 
cated  off  the  Atlantic  coast  of  Africa. 
Analysis  by  F-Secure,  however,  showed 
that  the  domain  rights  for  the  Web  site 
had  been  sold  to  a  company  in  Sweden. 
But  registration  information  listed  the 
company  name  as  JordanChat  and  the 
location  as  Irbid,  Jordan.  The  contact 
name  was  TeROr. 

As  thousands  of  infected  computers 
downloaded  the  malicious  code  from 
the  Web  server  in  Sao  Tome  and 
Principe,  they  were  then  linked  to  an 
Internet  Relay  Chat  system  operated 
by  CNN  in  Atlanta. 

Once  logged  into  CNN’s  IRC  server, 
the  systems  connected  to  an  IRC  chan¬ 
nel  in  Mexico  called  Noticias.  And 
when  Hypponen  and  his  analysts  stud¬ 
ied  the  channel,  they  were  astonished 
at  what  they  saw. 

“There  were  20,000  clients  just  sit¬ 
ting  on  the  channel  doing  nothing. 
They  looked  like  people,  but  they  were 
bots,”  he  says,  referring  to  programs 
that  perform  repetitive,  automated 
functions. 

The  bots,  however,  weren’t  alone. 
According  to  Hypponen,  three  Kuwaiti 
users,  presumably  members  of  Q8See, 
were  sitting  on  the  channel  and  send¬ 
ing  commands  to  the  bots  to  scan  vari¬ 
ous  ranges  of  IP  addresses.  And  while 
CNN  eventually  shut  down  the  chat 
server,  nobody  knows  for  sure  what 
the  hackers  were  doing. 

“We  may  never  know,”  says  Hyppo¬ 
nen.  “Whether  or  not  this  is  traditional 
organized  crime  doesn’t  matter  —  be¬ 
cause  they  are  organized,  and  what 
they  are  doing  is  criminal.”  O  48794 


I.T.  DEPARTMENTS 

THAT  MAKE 
IT  HAPPEN 
RUN  SAP 


Imagine  I.T.  that’s  flexible  enough  to  help  you  reach  your  business  goals  quickly  and  efficiently.  The  SAP  NetWeaver"  platform  speeds  integration 
and  makes  the  job  of  managing  applications  a  lot  more  manageable.  So  you  can  make  changes  and  implement  new  strategies  faster  than  ever. 
Visit  sap.com/netweaver  or  call  800  880  1727  to  seize  opportunities  as  they  arise. 


2004  SAP  AG.  SAP  and  the  SAP  logo  are  trademarks  and  registered  trademarks  of  SAP  AG  in  Germany  and  several  other  countries. 


HE  BOEING  CO.  has  a 
diverse  directory  infra¬ 
structure  that  includes 
products  like  Sun  ONE, 
Microsoft  Active  Directo¬ 
ry  and  Oracle.  Having  a 
heterogenous  directory 
infrastructure  in  a  company  the  size  of 
Boeing  is  a  practical  necessity,  but  it 
also  creates  headaches  for  the  aero¬ 
space  company,  which  has  900  directo¬ 
ry-enabled  applications  that  serve 
some  150,000  employees. 

The  problem  is  that  most  identity 
management  systems,  Web  portals  and 
other  directory-dependent  applica¬ 
tions  are  designed  to  access  just  one 
directory,  but  the  data  each  requires 
may  reside  in  many.  Even  when  re¬ 
quested  data  is  available  in  a  single 
repository,  it  may  not  be  structured  in 
the  way  the  application  wants  to  see  it. 

As  a  result,  getting  each  application 
to  work  with  the  directory  infrastruc¬ 
ture  can  become  a  big  project,  says 
Marty  Schleiff,  a  cyberidentity  special¬ 
ist  at  the  Boeing  Shared  Services  Group. 

“Every  requirement  means  changing 
an  existing  directory  without  breaking 
it  for  existing  clients  or  setting  up  a 
new  directory,”  Schleiff  says.  A  third 
option,  customizing  the  application, 
can  be  costly.  Unlike  with  internal  ap¬ 
plication  development  projects,  the 
money  spent  customizing  a  commer¬ 
cial  application  can’t  be  leveraged  by 


other  applications,  and  customization 
adds  to  the  amount  of  code  that  must 
be  maintained,  he  says. 

To  solve  the  problem,  Schleiff  is 
turning  to  virtual  directory  software, 
an  emerging  class  of  products  that  he 
says  offers  a  more  flexible  approach  to 
providing  applications  with  access  to 
user  account  data  and  other  attributes. 

Boeing  has  piloted  and  is  ready  to 
begin  a  phased  rollout  of  Virtual  Di¬ 
rectory  Engine  from  Octetstring  Inc. 
in  Schaumburg,  Ill.  To  the  application, 
the  virtual  directory  looks  just  like  the 
target  directory  it  expects  to  see.  It 
takes  requests  for  data  from  the  appli¬ 
cation,  retrieves  it  from  the  back-end 
directories,  performs  any  transforma¬ 
tions  needed  and  presents  it  to  the  ap¬ 
plication  in  the  format  required.  No 
modification  to  the  application  or  tar¬ 
get  directories  is  needed. 

“We’re  deploying  it  to  support  many 
client  applications.  We’re  trying  to  cre¬ 
ate  a  shared  service,”  Schleiff  says. 

The  Virtual  Difference 

Virtual  directories  are  similar  to  an¬ 
other  tool:  metadirectories.  Both  can 
access  user  data  from  different  reposi¬ 
tories.  Metadirectories,  a  core  element 
of  user  provisioning  tools,  copy  data 
into  a  new  repository  that  must  be  cre¬ 
ated,  maintained  and  synchronized. 
The  need  to  keep  data  updated  can  be 
a  headache  when  data  in  source  direc- 


When  to  Use 
Virtual  Directories 

■  For  applications  that  can  access 
only  a  single  directory  when  the 
user  data  or  attributes  reside  in 
many  places. 

■  As  an  alternative  to  metadirecto¬ 
ries  when  attributes  in  source  direc¬ 
tories  change  frequently. 

■  As  a  directory  migration  tool.  A 
virtual  directory  lets  administrators 
migrate  to  a  new  directory  architec¬ 
ture  without  updating  all  of  the  ap¬ 
plications  that  depend  on  it.  The  vir¬ 
tual  directory  presents  those  appli¬ 
cations  with  a  view  of  the  old  direc¬ 
tory  and  its  schema  structures. 

■  To  break  apart  very  large  directory 
repositories  to  improve  write  perfor¬ 
mance  and  reduce  downtime.  The 
virtual  directory  still  provides  a 
single,  unified  view. 


tories  changes  frequently.  Some  busi¬ 
ness  units  may  also  object  to  the  idea 
of  creating  a  second  repository  for 
customer  data  that  will  be  outside  of 
their  control,  citing  regulatory  or 
strategic  concerns. 

In  contrast,  virtual  directories  access 
the  attributes  requested  from  each  di¬ 
rectory  or  database  on  the  fly.  The  soft- 


SSTANCE 


Virtual  directories  offer  a  fast  and  efficient  way  to  get 
identity  management  software  and  other  directory- 
dependent  applications  online.  By  Robert  L.  Mitchell 


ware  uses  a  cache  to  speed  performance 
but  typically  doesn’t  store  data  locally. 

Virtual  directory  deployments  can 
cost  substantially  less  than  alternative 
strategies.  The  software,  licensed  by 
the  server,  may  cost  $10,000  to  several 
hundred  thousand  dollars  for  a  large 
project.  But  that’s  a  small  price  to  pay 
compared  with  the  cost  of  rebuilding 
an  enterprise  directory  or  reworking 
each  application,  says  Schleiff.  “Any¬ 
time  you’re  considering  spending  mon¬ 
ey  to  customize  an  application  so  that  it 
can  use  your  directory,  you  should  look 
at  virtual  directory  technology,”  he  says. 

The  technology  can  even  help  appli¬ 
cations  that  aren’t  sophisticated 
enough  to  deal  with  more  complex  di¬ 
rectory  mechanisms  such  as  Light¬ 
weight  Directory  Access  Protocol 
(LDAP)  referrals.  A  virtual  directory 
can  follow  the  reference  to  locate  the 
data  and  return  it  to  the  application. 

But  virtual  directories  also  have  a 
few  drawbacks.  Although  they  don’t 
create  an  additional  repository,  they 
do  create  another  layer  of  complexity 
because  they  require  applications  to 
access  information  indirectly  through 
the  virtual  directory  server  rather  than 
going  to  the  directory  that  actually 
holds  the  data. 

“There’s  a  discomfort  with  adding 
another  layer  of  infrastructure.  If 
something  happens  to  our  Web  single 
sign-on,  our  critical  applications  are 
down,”  says  Schleiff.  “Virtual  directo¬ 
ries  . . .  both  simplify  and  make  the 
service  offering  more  complex.” 

Another  potential  weakness:  Virtual 
directories  are  only  as  good  as  the  di¬ 
rectories  behind  them.  If  a  directory 
tends  to  go  down  frequently  or  offers 
poor  response,  a  metadirectory  that 
has  its  own  data  source  may  be  a  better 
choice.  But  users  say  virtual  directo¬ 
ries  have  advantages  here,  too.  They 
have  load-balancing  and  fail-over  fea¬ 
tures  that  can  be  configured  to  redirect 
a  request  to  an  alternative  data  source. 
If  the  connection  drops  in  the  middle 
of  a  request,  for  example,  the  virtual 
directory  retries  another  repository 
and  returns  the  rest  of  the  data. 

Starting  Small 

Boeing  is  one  of  the  first  companies  to 
make  the  virtual  directory  an  integral 
part  of  its  directory  service,  but  pro¬ 
grammers  and  directory  specialists  at 
many  large  companies  have  been  qui¬ 
etly  using  the  tools  for  several  years 
for  specific,  one-off  applications  or 
departmental  development  projects. 

Jeff  Sobel,  a  senior  analyst  at  New 
York  Independent  System  Operator 
(NYISO),  a  wholesale  electricity  pro- 


www.computerworld.com 


TECHNOLOGY 


COMPUTERWORLD  August  30, 2004 


25 


Virtual  Players 


VENDORS  OF  VIRTUAL  DIRECTORY 
SOFTWARE  are  generally  small  compa¬ 
nies  with  30  employees  or  less  and  a  cus¬ 
tomer  base  measured  in  tens  of  users.  Some 
vendors  offer  only  a  virtual  directory,  while 
others  offer  a  mix  of  products  and  services. 
Here’s  how  they  differentiate  themselves. 


Radiant  Logic  and  Trondheim,  Norway- 
based  MaXware  Inc.  offer  both  metadirec¬ 
tory  and  virtual  directory  products  and  pro¬ 
mote  integration  features  between  the  two. 
The  MVD  MaXware  Virtual  Directory  offers  a 
flexible  and  easy-to-use  interface,  says  Bur¬ 
ton  Group's  Gerry  Gebel.  RadiantOne  adds  a 
"persistent  cache,”  blurring  the  distinction 
between  its  metadirectory  and  virtual  direc¬ 
tory  products.  Both  BEA  Systems  Inc.  and 


BMC  Software  Inc.  include  Radiant  Logic’s 
technology  in  their  product  lines,  while 
MaXware  has  partnered  with  Hampshire, 
England-based  integrator  BT  Syntegra. 


Octetstring  started  with  a  Java  LDAP 
directory  that  it  transformed  into  its  Virtual 
Directory  Engine.  The  product  has  flexible 
joining,  mapping  and  transformation  fea¬ 
tures  and  a  newly  released  3.0  version 
adds  features  that  make  the  product  easier 
to  use.  Oblix  resells  the  technology  with 
its  CorelD  product. 


Symlabs  SA  in  Lisbon,  Portugal,  is  the 
smallest  vendor  in  the  group;  it  focuses  on 
high-performance,  large-scale  deploy¬ 
ments.  Telecommunications  companies  are 


among  the  early  adopters  of  its  Directory 
Extender  product.  Paris-based  Calendra’s 
Directory  Manager  includes  a  complete 
development  environment  and  workflow 
component.  The  vendor  has  experience  in 
developing  Yellow  Pages-type  applications, 
says  Gebel. 


Persistent  Systems  Pvt.,  an  established 
software  development  outsourcer  in  Pune, 
India,  is  by  far  the  largest  vendor  in  the 
group.  It  has  experience  building  metadirec¬ 
tory  connectors  for  other  vendors.  It  has 
about  1,000  employees,  although  only  about 
30  support  enQuire  Virtual  Directory.  That 
product,  part  of  the  enQuire  Identity  Server, 
also  supports  a  persistent  cache. 

-  Robert  L.  Mitchell 


vider  in  Albany,  was  building  a  Web 
application  to  let  customers  place  bids 
over  the  Internet.  He  chose  RSA  Secu¬ 
rity  Inc.’s  ClearTrust  access  manage¬ 
ment  software  to  authenticate  users, 
but  the  product  could  point  to  only 
one  LDAP  directory.  His  user  data 
resided  in  an  Oracle  database  and  an 
LDAP  directory.  At  RSA’s  suggestion, 
he  brought  in  RadiantOne  virtual  di¬ 
rectory  software  from  Radiant  Logic 
Inc.  in  Novato,  Calif.  Sobel  says  he  had 
the  software  up  and  running  within  a 
month.  “It’s  not  a  long  cycle  time  to  get 
it  running,”  he  says. 

NYISO  wasn’t  always  sold  on  virtual 
directories,  however.  The  company 
looked  at  the  tools  a  year  ago  and 
decided  that  most  weren’t  mature 
enough.  Although  a  few  virtual  direc¬ 
tory  tools  have  been  around  since  the 
late  ’90s,  they’ve  improved  significant¬ 
ly  since  then,  says  Gerry  Gebel,  a  Fair¬ 
fax,  Va. -based  analyst  at  Burton  Group. 
Several  vendors  have  added  graphical 
point-and-click  user  interfaces  to  the 
tools  that  make  setting  them  up  much 
easier  than  the  previous,  text-based  in¬ 
terfaces  and  configuration  files.  “But 
you  still  have  to  understand  LDAP, 
database  structures  and  things  of  that 
nature,”  Gebel  cautions. 

The  manager  of  directory  services  at 
a  large  family  entertainment  company, 
which  he  asked  not  be  named,  says  a 
virtual  directory  made  sense  for  his 
application  for  both  political  and  tech¬ 
nical  reasons.  The  company  uses  a  flat 
directory  structure,  but  its  identity 
management  software  expects  user 
data  to  be  organized  hierarchically. 
Using  a  metadirectory  to  transform  the 


data  was  out  because  management 
“really  put  the  hammer  down  about 
replicating  data  to  different  business 
units,”  he  says.  Rebuilding  the  source 
directory  would  have  required  eight 
months,  versus  just  one  month  to  de¬ 
ploy  a  virtual  directory.  The  technol¬ 
ogy  provided  a  hierarchical  view  of  the 
data  “without  provisioning  our  data  all 
over  again,”  he  says. 

Choosing  a  virtual  directory  means 
looking  at  very  small  vendors,  since 
the  big  directory  players  have  yet  to 
offer  full-blown  virtual  directory  prod¬ 
ucts.  The  virtual  directory  vendors  — 
about  a  half-dozen  in  all  —  are  typical¬ 
ly  small,  privately  held  firms  with  few¬ 


er  than  30  employees  and  anywhere 
from  five  to  50  or  more  customers.  Yet 
the  vendors  count  many  of  the  world’s 
largest  companies  among  their  cus¬ 
tomers.  “The  larger  and  more  complex 
the  organization,  the  more  need  they 
have  for  this  technology,”  says  Gebel. 

One  way  to  mitigate  the  risk  of  going 
with  small  vendors  is  to  leverage 
agreements  they  have  with  identity 
management  software  vendors  and  in¬ 
tegrators.  Radiant  Logic  has  agree¬ 
ments  with  RSA  and  Accenture  Ltd., 
for  example,  while  Octetstring  has  al¬ 
lied  itself  with  Oblix  Inc.  Users  can 
take  other  steps  as  well,  says  Gebel.  “If 
you’re  implementing  something  that  is 


higher  risk,  you  need  to  take  measures 
such  as  getting  source  code  in  escrow  or 
going  through  a  larger  vendor,”  he  says. 

Another  potential  concern  is  scala¬ 
bility,  says  Gebel,  although  vendors 
disagree.  While  the  products  have  been 
shipping  for  several  years,  they’re  evolv¬ 
ing  and  have  yet  to  prove  themselves  in 
many  large-scale  deployments,  he  says. 

But  those  concerns  don’t  bother 
NYISO’s  Sobel.  He  says  he  plans  to  use 
the  technology  as  part  of  a  broader, 
single-sign-on  project  involving  more 
than  a  half-dozen  directories.  “Because 
we  aren’t  tied  down  to  a  true  directory 
. . .  it’s  easier  to  add  repositories  as  time 
moves  on.”  ©  48758 


Metadirectory  ©  Virtual  Directory 


METADIRECTORIES  include  software  that  synchronizes  data  from  multiple  source  directories,  ■  VIRTUAL  DIRECTORIES  don’t  maintain  a  separate  information  repository  but  create  a  virtualiza- 

stores  it  in  a  new  repository  and  keeps  it  synchronized.  The  applications  in  the  example  below  H  tion  layer  between  the  applications  and  source  repositories.  The  virtual  directory  server  receives 

then  request  authentication  data  in  the  metadirectory  using  LDAP.  H  requests  from  the  clients  by  way  of  LDAP,  Directory  Services  Markup  Language  (DSML),  SQL  or 

Simple  Object  Access  Protocol.  It  then  retrieves  the  requested  data  and  performs  transformations 
on  the  fly  in  order  to  present  the  data  requested  to  each  application  in  the  format  it  expects. 


APPLICATIONS 


METADIRECTORY 


IDENTITY  DATA  SOURCES 


APPLICATIONS 


VIRTUAL  DIRECTORY 


IDENTITY  DATA  SOURCES 


28 


COMPUTERWORLD  August  30, 2004 


TECHNOLOGY 


www.computerworld.com 


zy  Logic 


DEFINITION 

Fuzzy  logic  is  an  extension  of  classic  Boolean  logic 
designed  to  work  with  imprecise  or  vague  data,  with 
the  concept  of  partial  truth.  Where  classical  reason¬ 
ing  requires  yes  and  no  values,  fuzzy  logic  can  han¬ 
dle  concepts  such  as  “maybe,”  “nearly”  and  “very.” 


BY  RUSSELL  KAY 

HE  DIGITAL  computing 
world  is  built  on  a  struc¬ 
ture  of  Boolean  logic 
applied  to  binary  values 
—  one  or  zero,  yes  or  no,  in  or 
out.  But  this  powerful  struc¬ 
ture  is  a  gross  oversimplifica¬ 
tion  of  the  real  world,  where 
many  shades  of  gray  exist  be¬ 
tween  black  and  white.  In 
everyday  life,  we  use  quasi¬ 
metric  notions  that  are  clearly 
related  to  numerical  concepts 
or  values  but  lack  precision  or 
demarcation. 

What  time  is  it?  If  I’m  a 
server  time-stamping  thou¬ 
sands  of  files,  digital  certifi¬ 
cates  or  transactions,  I  need 
very  fine  distinctions.  But  if 
I’m  asking  a  co-worker 
what  time  it  is,  do  I 
really  care  that  it’s 
11:49:54  a.m.  Eastern 
Daylight  Time?  Or  do 
I  just  want  to  know  if 
it’s  time  for  lunch  yet? 

Or  take  the  weather.  If  it’s 
90  degrees  Fahrenheit  on  a 
July  day,  that’s  hot  for  Massa¬ 
chusetts  but  mild  for  Arizona. 
A  total  of  several  inches  of 
rain  that  month  might  consti¬ 
tute  a  drought  in  Massachu¬ 
setts  but  a  welcome  relief 
from  one  in  Arizona. 

Get  Fuzzy 

The  real  world  simply  doesn’t 
map  well  to  binary  distinc¬ 
tions,  and  numerical  precision 
is  often  unhelpful  in  making 
qualitative  statements.  Fuzzy 
logic  gives  us  a  way  to  deal 
with  such  situations. 

In  fuzzy  systems,  values  are 


indicated  by  a  number  (called 
a  truth  value)  in  the  range 
from  0  to  1,  where  0.0  repre¬ 
sents  absolute  falseness  and 
1.0  represents  absolute  truth. 
While  this  range  evokes  the 
idea  of  probability,  fuzzy  logic 
and  fuzzy  sets  operate  quite 
differently  from  probability. 

If  I  tell  you  that  my  height  is 
5  ft.  6  in.  (or  168  cm),  you  may 
have  to  think  a  bit  before  de¬ 
ciding  whether  you  consider 
me  short  or  not  short  (i.e., 
tall).  Moreover,  you  might 
reckon  me  short  for  a  man  but 
tall  for  a  woman.  So  let’s  make 
the  statement  “Russell  is 
short,”  and  give  that  a  truth 
value  of  0.70. 

If  0.70  represented  a  proba¬ 
bility  value,  we  would 
read  it  as  “There  is  a 
70%  chance  that  Rus¬ 
sell  is  short,”  meaning 
that  we  still  believe 
that  Russell  is  either 
short  or  not  short,  and 
we  have  a  70%  chance  of 
knowing  which  group  he  be¬ 
longs  to.  But  fuzzy  terminolo¬ 
gy  really  translates  to  “Rus¬ 
sell’s  degree  of  membership  in 
the  set  of  short  people  is  0.70,” 
by  which  we  mean  that  if  we 
take  all  the  (fuzzy  set  of)  short 
people  and  line  them  up,  Rus¬ 
sell  is  positioned  70%  of  the 
way  to  the  shortest.  In  conver¬ 
sation,  we  would  say  Russell  is 
“kind  of”  short  and  recognize 
that  there  is  no  definite  de¬ 
marcation  between  short  and 
tall.  We  can  state  this  mathe¬ 
matically  as  mSHORT(  Rus¬ 
sell)  =  0.70,  where  m  is  the 
membership  function. 


Another  difference  becomes 
visible  when  we  look  at  some 
logical  operations,  particularly 
or  and  and.  In  probability,  we 
calculate  the  and  (intersec¬ 
tion)  of  two  independent 
events  by  multiplying  their  in¬ 
dividual  probabilities  together 
and  the  or  (or  union)  as  the 
sum  of  individual  probabilities 
less  their  product.  For  fuzzy 
logic,  we  evaluate  or  as  the 
maximum  of  individual  truth 
values,  while  and  is  the  mini¬ 


mum  of  those  values.  As  we 
incorporate  more  factors  into 
the  mix,  even  those  with  high 
values  —  the  overall  probability 
continues  to  drop,  eventually 
approaching  0.0.  For  fuzzy  log¬ 
ic,  however,  the  truth  value  re¬ 
mains  high.  Similarly  for  the  or 
operator,  incorporating  more 
factors  increases  probability 
to  near  1.0,  while  adding  more 
fuzzy  sets  doesn’t  raise  the 
combined  value  at  all,  and  the 
limit  will  be  the  largest  of  the 
individual  membership  values. 

Hedging  Your  Bets 

One  thing  that  makes  fuzzy 
systems  useful  is  the  ability 
to  define  “hedges,”  or  descrip¬ 
tive  modifiers,  to  represent 
fuzzy  values.  This  keeps  the 
operations  of  fuzzy  logic  clos¬ 
er  to  natural  language  and  al¬ 
lows  us  to  generate  fuzzy 
statements  through  mathe¬ 
matical  calculations. 

Defining  hedges  and  the  op¬ 
erations  that  use  them  is  a  sub¬ 
jective  process,  and  it  can  vary 
from  project  to  project.  But 
the  system  lets  us  use  opera¬ 
tors  and  produce  compound 
results  using  the  same  formal 


methods  as  classic  logic. 

For  example,  let’s  change 
the  statement  “Bob  is  old”  to 
“Bob  is  very  old.”  Here  we’re 
using  “very”  as  a  hedge  or  de¬ 
scriptor,  and  this  particular 
hedge  is  often  defined  as 
equivalent  to  the  square  of 
the  base  value.  Therefore  if 
mOLD(Bob)  =  0.80,  then 
mVERYOLD(Bob)  =  0.64. 

Other  hedges  include  “more 
or  less,”  “somewhat,”  “rather” 
and  “sort  of.”  All  have  subjec¬ 
tive  definitions  but  transform 
membership/truth  values  in  a 
systematic,  reliable  manner. 

O  48634 


Kay  is  a  Computerworld  con¬ 
tributing  writer  in  Worcester, 
Mass.  You  can  contact  him  at 
russkay@charter.net. 

IT  STARTED  WITH  PLATO 

Learn  about  the  history  of  fuzzy  logic: 

QuickLink  48756 
www.computerworld.com 

Are  there  technologies  or  issues  you'd  like 
to  learn  about  in  QuickStudy?  Send  your 
ideas  to  quickstudy@computerworld.com 

To  find  a  complete  archive  of  our 
QuickStudies,  go  online  to: 

Ocomputerworld.com/quickstudies 


SEVEN  TRUTHS  OF  FUZZY  LOGIC 


1.  Fuzzy  logic  isn’t  fuzzy.  Fuzzy  logic  isn’t  intrinsi¬ 
cally  imprecise,  doesn’t  violate  common  sense  and 
produces  unambiguous  results.  “Classical’’  Boolean 
logic,  in  fact,  is  merely  a  special  case  of  fuzzy  logic. 

2.  Fuzzy  logic  is  different  from  probability.  With 
probability,  we’re  trying  to  determine  some¬ 
thing  about  the  potential  outcome  of 
clearly  defined  events  that  may  occur 
at  random.  With  fuzzy  logic,  we're 
trying  to  determine  something 
about  the  nature  of  the  event  it¬ 
self.  Fuzziness  is  often  expressed 
as  ambiguity,  not  imprecision  or 
uncertainty:  it’s  a  characteristic  of 
perception  as  well  as  concept. 


logic  handles  all  the  interlocking  degrees  of  freedom. 
These  systems  are  validated  much  like  conventional 

systems,  but  tuning  them  is  usually  much  simpler. 
— 

5.  Fuzzy  systems  aren’t  neural  networks.  A 

fuzzy  system  attempts  to  find  the  intersection,  union 
or  complement  of  the  fuzzy  control  variables. 
While  this  is  somewhat  analogous  to 
both  neural  networks  and  linear  pro¬ 
gramming,  fuzzy  systems  approach 
these  problems  differently. 


3.  Designing  fuzzy  sets  is  easy. 

Fuzzy  sets  reflect,  in  a  general  way,  how 
people  actually  think  about  a  problem.  It's  usually 
quick  and  easy  to  rough  out  the  approximate  shape  of 
a  fuzzy  set.  Later  on,  after  some  testing  or  experience, 
we  can  adjust  its  precise  characteristics. 


4.  Fuzzy  systems  are  stable  and  easily  tuned 
and  can  be  validated.  It’s  faster  and  easier  to  create 
fuzzy  sets  and  build  a  fuzzy  system  than  it  is  to  create 
conventional  knowledge-based  systems,  since  fuzzy 


6.  Fuzzy  logic  is  more  than 
process  control.  Although  some 
people  view  fuzzy  logic  mainly  as 
a  tool  for  process  control  and  signal 
analysis,  that  interpretation  is  too 
limiting.  Fuzzy  logic  is  a  way  of  repre¬ 
senting  and  analyzing  information,  indepen¬ 
dent  of  specific  applications. 

7.  Fuzzy  logic  is  a  representational  and  reason¬ 
ing  process.  Fuzzy  logic  is  a  powerful  and  versatile 
tool  for  representing  imprecise,  ambiguous  and  vague 
information.  It  can’t  solve  all  problems,  but  it  helps  us 
model  difficult,  even  intractable  problems. 

-Adapted  from " The  Seven  Noble  Truths  of  Fuzzy 
Logic. " byEadCox ,  Computer  Design,  April  1992 


2 


www.computerworld.com 


TECHNOLOGY 


COMPUTERWORLD  August  30. 2004 


Company  Secrets 
Hit  the  Exits 

It  does  no  good  to  worry  about  hacker 
attacks  if  departing  executives  are  free 
to  leave  with  sensitive  programs  and 
data.  By  Mathias  Thurman 


The  other  day,  I  found 
out  that  an  executive  in 
my  company  was  leav¬ 
ing.  Normally,  that 
wouldn’t  be  a  big  deal.  After 
all,  in  a  large  company  people 
come  and  go  all  the  time.  But 
this  executive’s  employment 
contract  included  a  clause  that 
lets  him  keep  his  laptop.  As  a 
security  manager,  I  find  this 
alarming,  but  it’s  a 
common  practice 
when  hiring  execu¬ 
tives  here. 

While  executives 
have  always  departed 
with  their  computers, 
until  now  no  one  has 
bothered  to  erase  the  sensitive 
programs  and  data  on  those 
machines.  Computers  in  the 
sales  and  marketing  group, 
for  example,  contain  customer 
contact  lists,  confidential 
price  lists,  e-mail  correspon¬ 
dence,  and  merger  and  acqui¬ 
sition  information. 

The  executive  in  question 
was  part  of  an  inquiry  a  few 
months  ago  that  required  ob¬ 
taining  an  image  of  his  lap¬ 
top’s  hard  disk  drive.  A  mem¬ 
ber  of  the  legal  department, 
hearing  of  his  planned  depar¬ 
ture,  remembered  that  inquiry 
and  called  me.  This  person 
was  leaving  the  company  un¬ 
der  good  terms,  he  said. 

Nonetheless,  I  asked  for  his 
laptop  right  away  so  that  we 
could  take  another  mirror  im¬ 
age,  wipe  the  drive  and  then  in¬ 
stall  the  standard  baseline  im¬ 
age  on  it.  To  my  surprise  and 
dismay,  my  request  was  met  by 
a  considerable  amount  of  resis¬ 
tance  from  management.  But  in 
the  end,  less  than  24  hours  be¬ 
fore  the  employee’s  departure, 

I  finally  received  his  laptop. 


In  the  wake  of  this  episode, 
the  CIO  established  a  policy 
that  any  laptop  leaving  with 
an  employee  must  have  its 
disk  wiped.  The  policy  state¬ 
ment  will  be  included  in  fu¬ 
ture  offer  letters  whenever  re¬ 
tention  of  any  company-issued 
computer  equipment  is  part  of 
the  employment  agreement. 

With  that  problem  behind 
me,  I  turned  my 
attention  to  anoth¬ 
er  pressing  issue. 
Except  for  certain 
enterprise-class 
applications,  such 
as  PeopleSoft,  Ora¬ 
cle  and  Siebel,  my 
company  develops  in-house 
almost  all  of  the  software  it 
uses.  Prior  to  deployment,  any 
application  we  develop  must 
enter  our  project  life  cycle, 
which  includes  many  reviews. 
Most  of  the  items  I  am  con¬ 
cerned  with  relate  to  access 
control,  encryption,  server 
and  application  security,  and 
proper  network  segregation. 

Unfortunately,  this  process 
is  fairly  new  and  is  always  be¬ 
ing  refined.  We’ve  only  recent¬ 
ly  mandated  IT  security  repre¬ 
sentation  at  the  various  stages 


While  executives 
have  always  departed 
with  their  computers, 
until  now  no  one  has 
bothered  to  erase  the 
sensitive  programs 
and  data  on  those 
machines. 


of  projects.  Now,  someone  in 
my  group  attends  the  project 
planning  meetings  and  all 
technical  and  critical  design 
review  boards.  But  sometimes 
smaller  programming  projects 
can  slip  by. 

A  few  months  ago,  I  en¬ 
countered  an  application  that 
lets  a  user  create  and  publish 
surveys.  Since  the  program 
was  designed  for  a  group  that 
was  using  the  application  for 
the  one-time  collection  of 
nonsensitive  data  from  the 
sales  organization,  we  decided 
not  to  run  it  through  the  proj¬ 
ect  life-cycle  process.  But  I  re¬ 
member  mentioning  at  the 
time  that  I  was  afraid  other 
departments  would  find  out 
about  the  survey  tool  and  try 
to  use  it  for  gathering  more- 
sensitive  information. 

Fears  Realized 

Since  then,  just  as  I  feared, 
several  departments  have  ex¬ 
pressed  an  interest  in  this  ap¬ 
plication.  After  getting  wind 
of  this,  I  insisted  that  if  the  ap¬ 
plication  was  to  be  used  in  a 
production  environment  for 
collecting  more-sensitive  data, 
it  had  to  go  through  the  formal 
project  life-cycle  path. 

As  part  of  the  security  re¬ 
view,  we  conduct  a  variety  of 
security  assessments.  We  as¬ 
sess  both  the  application  and 
the  server  on  which  it  will  re¬ 
side.  In  addition,  we  review 
the  application’s  architecture, 
which  typically  involves  un¬ 
derstanding  which  ports  the 
application  must  use  and  any 
relationships  between  the  ap¬ 
plication  and  other  production 
servers.  We  don’t  want  one 
compromised  system  to  lead 
to  the  compromise  of  others 
by  way  of  trust  relationships. 
We  also  ensure  that  the  appro¬ 
priate  firewall  rules  are  de¬ 
fined  and  that  only  the  neces¬ 
sary  services  are  allowed. 

The  survey  tool  consists  of 
a  stand-alone  application  that 
creates  a  survey.  The  survey  is 
then  pushed  to  a  Web  server 
via  an  encrypted  session.  To 
enable  that,  firewall  rules 


SECURITY 
MANAGER’S 
JOURNAL fi 


must  allow  only  the  server 
containing  the  stand-alone  ap¬ 
plication  to  communicate  with 
the  Web  server.  We  also  need¬ 
ed  rules  to  allow  only  Web 
traffic  to  the  Web  server  and 
to  our  network  operations 
center  to  monitor  the  server. 

To  conduct  the  server  and 
application  assessment,  we 
used  the  open-source  Nessus 
scanning  program  and  Web 
Inspect  from  Atlanta-based 
SPI  Dynamics  Inc.  In  addi¬ 
tion,  we  used  scripts  and  oth¬ 
er  techniques  as  time  permit¬ 
ted  to  further  interrogate  the 
server  and  the  application. 
Any  discrepancies  in  either 
must  be  fixed,  or  mitigating 
controls  must  be  put  in  place. 

For  the  survey-tool  applica¬ 
tion,  the  server  assessment 
came  out  perfect.  That’s  be¬ 
cause  we  have  a  top-notch 
baseline  system  image  that  has 
been  hardened  and  patched. 
But  the  application  assess¬ 
ment  revealed  a  few  items  of 
concern,  including  a  cross-site 
scripting  vulnerability  that 
could  be  exploited  to  cause 
the  user  to  execute  malicious 
code  when  viewing  the  survey. 
Once  these  vulnerabilities  are 
fixed  or  mitigated,  we  plan 
to  give  the  green  light  to  the 
project  leader  to  deploy  this 
application. 

Next,  I’m  back  to  trying  to 
find  an  automated  way  to  de¬ 
tect  rogue  wireless  access 
points.  We’re  testing  Cisco 
Systems  Inc.’s  triangulation 
feature.  If  configured  properly, 
it  can  detect  an  AP  within  a 
10-foot  radius. 

The  problem  is  that  the  APs 
are  often  hidden,  and  we  still 
have  to  find  them.  So  we’re 
working  on  a  way  to  automati¬ 
cally  trace  media  access  con¬ 
trol  addresses  from  our 
switches  back  to  network 
jacks  in  individual  offices.  It’s 
still  not  an  ideal  approach,  but 
it’s  definitely  a  start.  I 

WHAT  DO  YOU  THINK? 

This  week's  journal  is  written  by  a  real  securi¬ 
ty  manager,  “Mathias  Thurman,"  whose 
name  and  employer  have  been  disguised  for 
obvious  reasons.  Contact  him  at  mathias, 
thurman@yahoo.com,  or  join  the  discussion 
in  our  forum:  QuickLink  a1590 

To  find  a  complete  archive  of  our 
Security  Manager's  Journals,  go  online  to 

0  computerworld.com/secjournal 


SECURITY  LOG 


Security  Bookshelf 

■  Network  Security  First- 
Step,  by  Thomas  M.  Thomas; 
Pearson  Education,  2004. 

I  frequently  re¬ 
ceive  e-mail  from 
readers  asking 
me  about  the  best 
way  to  get  into  the 
information  secu¬ 
rity  field.  I  always 
suggest  a  few  ti¬ 
tles,  and  Network 
Security  First-Step  is  the 
perfect  book  for  that  purpose. 

The  author  assumes  that 
readers  know  nothing  about 
security  and  introduces  al¬ 
most  every  pertinent  topic. 
From  security  policies  to  en¬ 
cryption  to  penetration  test¬ 
ing,  Thomas  presents  the  top¬ 
ics  in  a  way  that’s  easy  to  un¬ 
derstand.  He  combines  screen 
shots,  diagrams  and  examples 
of  things  such  as  router  and 
firewall  access  control  lists  to 
make  his  points.  Overall,  it’s  a 
good  introduction  for  those 
who  know  little  about  the  field. 


SOX  Compliance 
Suite  Launched 

SAP  consulting  firm  Preci¬ 
sion  Consulting  Inc.  in  Min- 
den,  Nev.,  announced  the 
release  of  S0X+,  a  set  of  tools 
designed  to  assist  with  Sar- 
banes-Oxley  Act  compliance 
efforts  on  SAP  systems.  The 
software  is  available  now. 
Pricing  starts  at  $40,000. 

McAfee  WebShield 
3.0  Makes  Debut 

McAfee  Inc.  in  Santa  Clara, 
Calif.,  has  released  Version 
3.0  of  McAfee  WebShield  for 
its  e250,  e500  and  elOOO  ap¬ 
pliances.  WebShield  includes 
antivirus,  content-scanning 
and  optional  antispam  func¬ 
tions.  New  features  include 
the  ability  to  create  and  apply 
rules  for  antivirus,  antispam 
and  content  filtering  for  differ¬ 
ent  groups,  a  dashboard  and 
configuration  wizard,  and  an 
SMTP  transport-logging  func¬ 
tion.  Pricing  starts  at  $1,480 
for  a  100-node  license. 


28  COMPUTERWORLD  August  30, 2004 


Workshare  Ships 
Protect  Version  3.0 


Workshare  Technology  Inc.  in  San 
Francisco  announced  Workshare 
Protect  3.0,  software  that’s  de¬ 
signed  to  detect  and  eliminate  un¬ 
wanted  metadata  from  Microsoft 
Office  documents  before  they’re 
e-mailed.  The  tool  also  integrates 
with  Lotus  Notes  and  Novell 
GroupWise  software.  Available 
now,  Workshare  Protect  3.0 
starts  at  $25  per  seat. 


Asset  Management 
Tools  Improved 

LogicLibrary  Inc.  last  week  re¬ 
leased  a  new  version  of  its  Logi- 
dex  software  development  asset 
management  tools  for  J2EE  and 
.Net.  Version  3.5  is  compliant 
with  the  Web  Services  Interoper¬ 
ability  Organization’s  Basic  Pro¬ 
file,  according  to  the  Pittsburgh- 
based  company.  Logidex  3.5 
starts  at  $10,000  per  server  and 
$1,000  per  seat. 


Iomega  Adds  35GB 
SCSI  Disk  Backup 

Iomega  Corp.  has  introduced  the 
REV  35GB,  an  entry-level  exter¬ 
nal  SCSI  disk  drive  designed  to 
replace  tape  drives  without  dis¬ 
rupting  server  operations.  The 
external  drive  sells  for  $499;  an 
internal  model  costs  $449. 


Imprivata  Updates 
Password  Manager 


Imprivata  Inc.,  a  vendor  of  pass¬ 
word  management  and  biometric 
authentication  products  in  Lex¬ 
ington,  Mass.,  shipped  OneSign 
2.5.  The  appliance  features  self- 
service  password  management 
functions  and  enhanced  finger- 
biometric  capabilities  that  elimi¬ 
nate  the  need  for  users  to  enter 
or  select  a  username  prior  to 
scanning,  said  Imprivata. 


TECHNOLOGY 


www.computerworld.com 


BRUCE  SCHNEIER 


Encryption  Must 
Move  Beyond  SHA 


AT  THE  Crypto  2004  conference  in  Santa 

Barbara,  Calif.,  this  month,  researchers  an¬ 
nounced  several  weaknesses  in  common 
hash  functions.  These  results,  while  mathe¬ 
matically  significant,  aren’t  cause  for  alarm.  But  even 
so,  it’s  probably  time  for  the  cryptography  community 
to  get  together  and  create  a  new  hash  standard. 


One-way  hash  functions 
are  a  cryptographic  con¬ 
struct  used  in  many  appli¬ 
cations.  They  are  used  with 
public-key  algorithms  for 
both  encryption  and  digital 
signatures.  They  are  used 
in  integrity  checking.  They 
are  used  in  authentication. 

They  have  all  sorts  of  ap¬ 
plications  in  a  great  many 
different  protocols.  Much 
more  than  encryption  algo¬ 
rithms,  one-way  hash  func¬ 
tions  are  the  workhorses  of 
modern  cryptography. 

Ron  Rivest  invented  the 
MD4  and  MD5  hash  functions  in  the 
early  1990s.  Then  the  National  Securi¬ 
ty  Agency  published  a  similar  hash 
function  called  the  Secure  Hash  Algo¬ 
rithm  (SHA),  followed  by  SHA-1, 
which  today  is  the  most  popular  hash 
function. 

One-way  hash  functions  are  sup¬ 
posed  to  have  two  properties.  First, 
they’re  one-way.  This  means  that  it’s 
easy  to  take  a  message  and  compute 
the  hash  value,  but  it’s  impossible  to 
take  a  hash  value,  and  re-create  the 
original  message.  (By  “impossible”  I 
mean  “can’t  be  done  in  any  reasonable 
amount  of  time.”)  Second,  they’re  col¬ 
lision-free.  This  means  that  it’s  impos¬ 
sible  to  find  two  messages  that  hash  to 
the  same  hash  value.  The  cryptograph¬ 
ic  reasoning  behind  these  two  proper¬ 
ties  is  subtle,  and  I  invite  curious  read¬ 
ers  to  learn  more  in  my  book,  Applied 
Cryptography  (Wiley,  1995). 

Breaking  a  hash  function  means 


showing  that  either  —  or 
both  —  of  those  properties 
aren’t  true.  Cryptanalysis 
of  the  MD4  family  of  hash 
functions  has  proceeded  in 
fits  and  starts  over  the  past 
decade  or  so,  with  results 
against  simplified  versions 
of  the  algorithms  and  par¬ 
tial  results  against  the 
whole  algorithms. 

This  year,  Eli  Biham  and 
Rafi  Chen,  and  separately 
Antoine  Joux,  announced 
some  impressive  crypto¬ 
graphic  results  against 
MD5  and  SHA.  Collisions 
have  been  demonstrated  in  SHA.  And 
there  are  rumors,  unconfirmed  at  this 
writing,  of  results  against  SHA-1. 

The  magnitude  of  these  results  de¬ 
pends  on  who  you  are.  If  you’re  a 
cryptographer,  this  is  a  huge  deal. 
While  not  revolutionary,  these  results 
are  substantial  advances  in  the  field. 
The  techniques  described  by  the  re¬ 
searchers  are  likely  to  have  other  ap¬ 
plications,  and  we’ll  be  better  able  to 
design  secure  systems  as  a  result.  This 
is  how  the  science  of  cryptography  ad¬ 
vances:  We  learn  how  to  design  new 
algorithms  by  breaking  other  algo¬ 
rithms.  In  addition,  algorithms  from 
the  NSA  are  considered  a  sort  of  alien 
technology:  They  come  from  a  superi¬ 
or  race  with  no  explanations.  Any  suc¬ 
cessful  cryptanalysis  against  an  NSA 
algorithm  is  an  interesting  data  point 
in  the  eternal  question  of  how  good 
they  really  are  in  there. 

As  a  user  of  cryptographic  systems 


BRUCE  SCHNEIER  is  the 

chief  technology  officer 
of  Counterpane  Internet 
Security  Inc.  in  Mountain 
View,  Calif.  You  can  sub¬ 
scribe  to  his  monthly 
“Crypto-Gram”  newsletter 
at  www.schneier.com. 


—  as  I  assume  most  of  you  are  —  this 
news  is  important,  but  not  particularly 
worrisome.  MD5  and  SHA  aren’t  sud¬ 
denly  insecure.  No  one  is  going  to  be 
breaking  digital  signatures  or  reading 
encrypted  messages  anytime  soon 
with  these  techniques.  The  electronic 
world  is  no  less  secure  after  these  an¬ 
nouncements  than  it  was  before. 

But  there’s  an  old  saying  inside  the 
NSA:  “Attacks  always  get  better;  they 
never  get  worse.”  These  techniques 
will  continue  to  improve,  and  probably 
someday  there  will  be  practical  attacks 
based  on  these  techniques. 

It’s  time  for  us  all  to  migrate  away 
from  SHA-1. 

Luckily,  there  are  alternatives.  The 
National  Institute  of  Standards  and 
Technology  (NIST)  already  has  stan¬ 
dards  for  longer  — and  harder-to-break 

—  hash  functions:  SHA-224,  SHA-256, 
SHA-384  and  SHA-512.  They’re  already 
government  standards  and  can  already 
be  used.  This  is  a  good  stopgap,  but  I’d 
like  to  see  more. 

I’d  like  to  see  NIST  orchestrate  a 
worldwide  competition  for  a  new  hash 
function,  like  it  did  for  the  new  encryp¬ 
tion  algorithm,  Advanced  Encryption 
Standard,  which  replaced  the  Data  En¬ 
cryption  Standard.  NIST  should  issue  a 
call  for  algorithms  and  conduct  a  series 
of  analysis  rounds  where  the  commu¬ 
nity  reviews  the  proposals  with  the  in¬ 
tent  of  establishing  a  new  standard. 

Most  of  the  hash  functions  we  have 
and  all  the  ones  in  widespread  use  are 
based  on  the  general  principles  of 
MD4.  Clearly,  we’ve  learned  a  lot 
about  hash  functions  in  the  past 
decade,  and  we  can  start  applying  that 
knowledge  to  create  something  even 
more  secure. 

Better  to  do  it  now,  when  there’s  no 
reason  to  panic,  than  years  from  now, 
when  there  might  be.  O  48921 


WANT  OUR  OPINION? 

OFor  more  columns  and  links  to  our  archives,  go  to 

www.computerworld.com/opinions 


Is  Grid  Computing  Ready 
for  Your  Enterprise? 

Computerworld’s  IT  Executive  Summit  Will  Guide  Your  Decision 


If  you're  an  IT  executive*  in  an  end-user  organization, 
apply  to  attend  Computerworld's  upcoming  complimentary 
half-day  summit  on  Grid  Computing. 

When  done  well,  grid  computing  can  lower  hardware 
costs,  reduce  development  and  operational  expenses 
and  result  in  more  effective  systems  management 
and  use  of  processing  resources.  As  grid  moves  from 
the  realm  of  science  and  research  into  business 
applications,  what  are  the  risks,  tradeoffs,  and  key 
considerations?  How  have  other  businesses  evaluated 
the  opportunities  to  use  grid?  Most  importantly, 
is  this  emerging  style  of  computing  finally  ready 
for  your  enterprise? 

By  leveraging  the  knowledge  of  industry  experts  and 
the  real-world  experience  and  advice  of  your  IT  peers, 
this  IT  Executive  Summit  will  provide  an  overview  of 
effective  strategies  for  assessing  and  implementing 
grid  technologies. 

*  Complimentary  registration  is  restricted  to 
qualified  IT  executives  only. 


Apply  for  registration  today 

For  more  information  or  to  apply,  visit 

www.itexecutivesummit.com 


Grid  Computing:  Assessing  the 
Reality  and  the  Potential 

Philadelphia  *  September  15,  2004 

Philadelphia  Marriott  •  1201  Market  Street  •  Independence  Ballroom 

7:45am  to  8:15am  Registration  and  Networking  Breakfast 

8:15am  to  8:45am  From  Cutting  Edge  to  Corporate  Stage: 

Grid  Computing  and  the  Enterprise 

Maryfran  Johnson,  Editor  in  Chief,  Computerworld 

8:45am  to  9: 1 5am  Industry  Analyst  Perspective 

9:15am  to  9:45am  Virtualization  at  CIGNA  Corp.:  Balancing 

Tactical  IT  Goals  with  Business  Strategy 

Ben  Flock,  VP  of  Virtualization  and  Application  Frameworks,  CIGNA 


Selected 

speakers 

include: 


I 

Maryfran  Johnson 
Editor  in  Chief, 
Computerworld 


Ben  Flock 
VP  of  Virtualization 
and  Application 
Frameworks, 

CIGNA 


9:45am  to  10:15am 
10:15am  to  10:45am 
10:45am  to  1 1:15am 

1 1 :15am  to  Noon 


Refreshment  and  Networking  Break 

Update  from  the  Enterprise  Grid  Alliance  (EGA) 

The  View  of  Grid  Computing  from  Iron  Mountain 

Bill  Olsen,  VP  of  Enqineerinq,  Iron  Mountain 

Senior  Editor, 

.  -  .  ,  -  ..  Computerworld 

Key  Considerations  in  Grid  Computing 
Projects:  An  IT  Executive  Roundtable 

Panel  Moderator:  Patrick  Thibodeau,  Senior  Editor, 

Computerworld 


Patrick 

Thibodeau 


Noon 


Program  Concludes 


This  program  will  also  take  place  at  the 
State  Room  (60  State  Street)  in  Boston 
on  September  21,  2004 

For  more  information  on  these  locations,  call  888-299-0155 


Exclusively  sponsored  by: 

ORACLE 


•  I  • 

••• 

•  •  •  •  • 
••• 


COMPUTERWORLD 

IT  EXECUTIVE  SUMMIT 


GRID  COMPUTING 


k 


BUSINESS 

INTELLIGENCE 


PERSPECTIVES 


iusiness  Intelligence  Applications 

•  Performance  Management 

•  Risk  Management 

•  Analytic  Technologies 

•  Data  Warehousing  and  Mining 

•  CRM  and  ERP 

•  Regulatory  IT 

•  Best  Practices  in  Bl 


Ss®ll§ 


,  2004  •  JW  Marriott  Desert  Springs  Resort  •  Palm  Desert,  California 


v'  h 


Visionary  &  Featured  Speakers 


ANDREAS  S.  WEIGEND,  Ph.D. 

former  Chief  Scientist,  Amazon.com 
Professor,  Stanford  University 


STEVE  BANDROWCZAK 

SVP  and  CIO 
DHL  Express 


CORA  CARMODY 

CIO 

SAIC 


NIDA  DAVIS 

Senior  Enterprise  Architect 
Federal  Reserve  System  (FRS) 


S! 


MIKE  HARTE 

CIO 

PFPC 


JIM  PATHMAN 

CIO 

Accredited  Home  Lenders 


DR.  JAN 

ROWLAND,  Ph.D. 

VP 

Dun  &  Bradstreet 


IRVING  TYLER 

Vice  President  and  CIO 
Quaker  Chemical 


Attendees  will  see  solutions  from  companies  including  these  Platinum  Sponsors: 

COCriSOS  .  ORACLE 


LAWSON 


Media  Sponsors: 


: 


COMPUTERWORLD 

■H  ■ 


r  EcoStratus 


For  more  information,  visit  www.biperspectives.com/cw  or  call  1-800-883-9090 


For  sponsorship  information,  contact  Leo  Leger  at  1-508-820-8212  or  leo_leger@computerworld.com 


WHO’S  WHO  IN  IT 

The  Thrill  of  Crisis 

You  may  think  that  database 
administration  is  a  skill,  but  DBA 
Gary  Rue  knows  it’s  an  art.  In  his 
world,  a  crisis  is  always  just 
around  the  corner.  Page  36 


OPINION 

Intelligent  Disobedience 

Executives  with  half-baked  and  hare¬ 
brained  ideas  can  doom  projects  from  the 
start,  and  scope  creep  threatens  the  rest. 
What’s  a  project  manager  to  do?  Gopal  K. 
Kapur  has  the  answer:  Just  say  no.  Page  38 


Petite  Portfolio 

Big  projects  get  all  the  attention, 
but  several  small  projects  can  add  up 
to  big  risks.  Managing  them  efficiently 
requires  a  careful  balance  of  rigor  and 
common  sense.  Page  33 


launches  and  budget  overruns  —  that 
can  cost  the  company  sales,  brand 
recognition  and  customer  satisfaction. 

A  2004  report  from  Jupiter  Research 
in  New  York  highlights  the  problem: 
“Often  there  is  neither  an  incentive  for 
units  to  work  together  to  accommo¬ 
date  each  other’s  objectives,  nor  a  gov¬ 
ernance  mechanism  to  maximize  the 
overall  value  of  the  Web  site  as  a  cor¬ 
porate  asset.” 

“The  Web  represents  a  confluence 
among  different  parts  of  the  company,” 
says  Jupiter  Research  senior  vice  presi¬ 
dent  David  Schatsky,  who  wrote  the 
report.  He  points  to  a  well-known  con¬ 
sumer  travel  company  that  also  serves 
businesses.  The  company’s  business  di¬ 
vision  wanted  to  promote  its  business- 
oriented  products  on  the  Web  site,  but 
other  divisions  thought  that  would 
puzzle  the  company’s  core  clients:  in¬ 
dividual  consumers.  “In  that  situation 
you  need  a  higher  authority  who  can 
make  a  decision,”  Schatsky  advises. 


The  Cost  of  Dissension 

Jackie  DiGiovanni,  vice  president 
of  marketing  and  .  J  .  com¬ 
munication  for U.S.  ^  Group 
Pensions  at  Toronto-  based 

Manulife  Financial  WS  Corp., 


Workers  at  Excel  Switching 

Corp.  spent  months  studying 
successful  Web  sites,  mapping 
out  a  strategy  and  implement¬ 
ing  their  own  Internet  vision. 
But  the  planning  couldn’t  eliminate  a 
common  problem:  internal  debates. 

For  example,  engineers  at  the  Hyan- 
nis,  Mass.,  company,  which  sells  hard¬ 
ware  to  the  communications  carrier  in¬ 
dustry,  wanted  graphics  and  informa¬ 
tion  to  dominate  the  site,  while  mar¬ 
keters  wanted  a  more  streamlined  ap¬ 
proach.  “There  is  that  push  and  pull,” 
says  Bill  Kelly,  Excel  Switching’s  direc¬ 
tor  of  marketing  programs,  adding  that 
the  company  takes  a  democratic  ap¬ 
proach  in  those  struggles.  “Whoever 
has  the  most  influential  argument, 
we’ll  go  with  it,”  he  says. 

Technology  experts  and  business 
leaders  alike  say  ownership  of  corpo¬ 
rate  Web  sites  is  often  up  for  grabs,  as 
departments  fight  for  placement,  space 
and  functionality.  Marketing  uses  the 
Web  site  for  branding,  sales  uses  it  to 
sell,  and  customer  service  uses  it  to 
minimize  inbound  phone  calls.  IT  is 
left  to  support  all  the  demands 
—  within  budget,  of  course. 

But  internal  bickering  comes 
at  a  price  —  lost  leads,  delayed 


Who  Owns 


When  business  units  fight  to  control  the 
corporate  Web  site,  the  company  loses. 

By  Maty  K.  Pratt 


32 


COMPUTERWORLD  August  30, 2004 


MANAGEMENT 


www.computerworld.com 


Pieces  of  Web  Pie 


Web  funding  sources,  by  department 


IT: 

29% 


Marketing: 
26% 


Other 

5% 


Web 
budget: 


Sales: 

13% 


Business 
lines:  10% 


Customer  service:  9% 


Department  to  which 
Web  site  decision-makers  report 


IT: 

40% 


Marketing: 
36% 


Sales: 


Finance: 

5% 


Other: 

8%  — 


Customer  service:  4% 


Base  for  both:  254  IT  decision-makers 

SOURCE  JUPITER  RESEARCH.  NEW  YORK.  2004 


knows  how  costly  those  debates  can 
be.  When  her  division  redesigned  its 
Web  site  last  year,  the  internal  audit 
department  wanted  last-minute 
changes  to  the  security  features.  Other 
departments  disagreed  with  the  pro¬ 
posal  to  assign  new  numbers  and  ac¬ 
cess  codes  to  the  1.2  million  partici¬ 
pants  who  would  use  the  site,  but  audit 
got  its  way,  DiGiovanni  says. 

The  change  was  a  disaster,  prompt¬ 
ing  frustrated  plan  sponsors  and  par¬ 
ticipants  to  bombard  Manulife’s  cus¬ 
tomer  service  department  with  calls. 

“What  internal  audit  wanted  ideally 
was  not  workable  in  the  real  world,”  Di- 
Giovanni  says.  Manulife  spent  $500,000 
and  six  months  resolving  the  problem. 

Now  she  tells  team  members  to  bring 
such  disagreements  to  the  attention  of 
the  next  level  of  management.  “We’re 
more  aware  of  needing  to  identify  the 
conflicts  and  take  more  to  the  steering 
committee  and  let  it  get  hashed  out  at 
that  level,”  she  says. 

Web  steering  committees  are  typical 
at  more  sophisticated  companies, 
Schatsky  says.  A  financial  institution,  for 
example,  might  have  leaders  from  IT,  the 
mortgage  unit,  the  credit  card  division 
and  customer  service  on  the  committee, 
with  the  chairman  reporting  to  a  se¬ 
nior  executive. 

But  Rick  Swanborg,  president  of 


Icex  Inc.,  a  research  and  content  man¬ 
agement  firm  in  Boston,  says  simply 
forming  a  steering  committee  isn’t 
enough.  “The  companies  that  have 
done  a  better  job  at  it  have  really  put  to¬ 
gether  a  specialized  group  with  people 
from  IT,  marketing  [and]  maybe  some 
people  from  human  resources  who  can 
think  through  the  best  way  to  build  the 
corporate  Web  site,”  Swanborg  says. 

He  suggests  that  a  company  form  an 
entity  that’s  focused  only  on  the  Web 
site  and  that  holds  ultimate  responsi¬ 
bility  and  authority. 

Jupiter  Research’s  report  recom¬ 
mends  appointing  “a  single  executive 
with  responsibility  for  maximizing  the 
value  of  the  company’s  Web  site  over¬ 
all.”  That  executive’s  job  would  be  to 
make  sure  decisions  support  the  whole 
company’s  objectives  rather  than  the 
goals  of  an  individual  department. 

Companies  also  need  to  define  a  pri¬ 
mary,  high-level  purpose  for  their  sites. 
“It’s  crucial  to  getting  to  the  next  step,” 
which  is  to  maximize  the  Web  site’s  re¬ 
turn  on  investment,  Schatsky  explains. 

When  developing  its  initial  site  in 
2001,  New  York-based  Verizon  Com¬ 
munications  Inc.  defined  it  first  as  a 
single  door  to  the  corporation  and  sec¬ 
ond  as  customer-focused,  says  Maria 
Malicka,  executive  director  of  e-com¬ 
merce  and  call  management.  “We 
gained  alignment  around  that,  so  we 
didn’t  experience  infighting  or  major 
disagreements,”  she  explains. 

Verizon  also  instituted  an  e-com- 
merce  council  of  vice  presidents  and 
directors  to  address  corporate-level 
questions  and  develop  high-level 
strategies  for  the  site.  And  the  compa¬ 
ny  has  stakeholder  forums,  so  leaders 
from  different  departments  can  hear 
and  weigh  in  on  proposed  Web  site 
changes.  “Everyone  was  at  the  table 
from  the  beginning,”  Malicka  says. 

These  steps  haven’t  eliminated  all 
debates  about  the  Web  site,  she  says. 
But  they’re  crucial  to  resolving  depart¬ 
mental  conflicts  so  that  the  outcomes 
are  best  for  the  company. 

“We  are  all  in  alignment  on  its  goals, 
and  if  there  are  any  disagreements,  we 
have  forums  for  discussion  and  negoti¬ 
ations.  And  when  we  focus  on  goals 
and  customers,  we  don’t  have  any  is¬ 
sues  that  we  can’t  resolve,”  she  says. 

A  Clear  Strategy 

Randy  Gravlin,  president  of  Business 
Innovation  Inc.,  a  technology  consult¬ 
ing  firm  with  offices  in  Woburn,  Mass., 
and  Montreal,  says  that  without  a  clear 
strategy,  companies  end  up  with  “clus¬ 
ters”  such  as  IT,  business  and  market¬ 
ing  that  ultimately  have  to  come  to- 


Fid  Among  Equals 

Companies  often  put  functionality  or  time 
to  market  first  when  it  comes  to  their  cor¬ 
porate  Web  sites,  but  they  should  put  se¬ 
curity  at  the  top  of  the  list,  says  Jonathan 
G.  Gossels,  president  of  SystemExperts 
Corp.,  a  Sudbury,  Mass.-based  provider  of 
network  security  consulting  services  with 
nine  offices  throughout  the  U.S. 

That  means  the  security  team'  must 
rank  as  a  major  stakeholder  as  sites  are 
built  and  revised. 

“Security  should  be  part  of  the  overall 
plan.  That’s  early;  that’s  before  anything 
has  been  written,”  Gossels  says. 

Companies  should  have  guiding  princi¬ 


ples  when  it  comes  to  IT  security,  and 
those  principles  must  apply  to  Web  sites, 
says  Bala  Iyer,  an  assistant  professor  in  the 
information  systems  department  at  Boston 
University's  School  of  Management. 

Without  those  guiding  principles,  com¬ 
panies  “could  drop  the  ball  on  security"  as 
they  build  their  Web  systems,  Iyer  says. 
Still,  he  believes  many  companies  push 
security  down  on  their  list  of  priorities. 

Gossels  recommends  that  companies 
empower  workers  “to  blow  the  whistle 
when  something  isn’t  being  built  securely. 
The  ownership  of  securing  the  firm  is 
shared  by  everybody  in  the  firm.  Every¬ 
body’s  reputation  suffers  if  the  cargo  goes 
out  without  shutting  the  door.” 

-  Mary  K.  Pratt 


gether  to  build  a  successful  Web  site. 
“We’ve  heard  it  many  times:  ‘This  is 
going  to  be  very  hard.  How  do  you 
bring  these  groups  together  to  build  a 
consensus?’  But  it  is  doable,”  he  says. 

Business  Innovation  worked  with 
St.  Louis-based  Upbeat  Inc.  when  the 
company  spent  nearly  $1  million  re¬ 
vising  its  Web  site  earlier  this  year. 

Carla  M.  Russo,  Upbeat’s  vice  presi¬ 
dent  of  material  management  and  MIS, 
says  the  site  was  reworked  to  integrate 
it  with  back-office  functions,  collect 
better  data  and  drive  more  traffic. 

The  marketing  department  at  Up- 


Reaching  Consensus 

Web  site  operations  are  a  never-ending 
series  of  upgrades  and  revisions,  a  proc¬ 
ess  that  invites  input  from  every  depart¬ 
ment  under  the  sun. 

Despite  the  various  and  sometimes 
conflicting  orders  that  IT  might  receive 
from  these  stakeholders,  experts  say  con¬ 
sensus  is  achievable.  Here’s  how; 

■  Define  a  high-level,  primary  pur¬ 
pose  for  your  corporate  Web  site. 

This  will  help  guide  decisions  and  serve  as 
a  reference  point  for  resolving  conflicts. 

■  Name  an  entity  -  an  individual,  a 
steering  committee  or  a  new  depart¬ 
ment  -  responsible  for  mapping  the  com¬ 
pany’s  overall  strategic  objectives  onto  the 
Web  channel  and  resolving  conflicts. 

■  Invest  in  personnel  who  under¬ 
stand  both  marketing  and  technology, 

the  two  divisions  most  likely  to  dominate 
corporate  Web  site  planning. 


beat,  which  manufactures  and  markets 
indoor  and  outdoor  products  for  busi¬ 
ness  and  government  properties,  con¬ 
trolled  the  Web  site  prior  to  its  re¬ 
design,  Russo  says.  But  marketing  also 
oversaw  the  production  of  5  million 
catalogs  annually,  and  the  Web  site 
had  to  compete  for  limited  resources. 
Sometimes  that  meant  Russo  and  the 
webmaster  were  overruled. 

Russo  remembers  one  instance 
where  she  pushed  for  photos  to  corre¬ 
spond  with  each  item  available  for  sale 
on  the  site,  arguing  that  customers 
want  to  see  exactly  what  they’re  buy¬ 
ing.  Marketing  said  no,  citing  limited 
time  and  resources. 

But  with  the  redesign,  Upbeat’s  CEO 
agreed  with  Russo  and  ordered  new 
photos.  Russo  sees  this  as  one  sign  of 
the  company’s  new  focus  on  the  Web. 

“Prior  to  this  redesign,  the  Web  was 
there,  but  I  don’t  know  if  anyone  was 
really  treating  it  as  a  channel,”  she  says. 
There  was  no  clear  marketing  plan, 
and  there  were  no  specific  goals.  “No¬ 
body  was  really  driving  it,”  Russo  says. 

Russo  now  sees  IT  and  marketing  as 
having  more  equal  standing,  which 
means  better  decisions  for  the  compa¬ 
ny  overall.  Upbeat  even  plans  to  add  a 
new  position  staffed  by  someone  who 
has  both  a  tech  background  and  mar¬ 
keting  know-how  to  help  bridge  the 
two  departments  that  run  its  site. 

“Unlike  other  channels  that  can  be 
owned  by  one  department,  the  Web 
site  is  a  unique  animal.  It  just  plays  too 
interactively  into  other  areas,”  she  says. 
“It’s  the  one  channel  where  there  has 
to  be  a  clear  collaboration.”  O  48696 


Pratt  is  a  freelance  writer  in  Waltham,  Mass. 
Contact  her  at  markmary@mindspring.com. 


anrawss 


Portfolio 

Managing  small  projects  requires 
a  careful  balance  of  rigor  and 
flexibility.  By  Thomas  Hoffman 


PROJECT  MANAGEMENT 

experts  will  tell  you  that  IT 
departments  are  doing  a 
better  job  than  they  used 
to  in  delivering  big  proj¬ 
ects  on  time  and  within  budget.  But 
shift  the  discussion  to  smaller  projects 
—  those  valued  at  $250,000  or  less  — 
and  their  confidence  starts  to  dwindle. 

“There’s  a  gap  when  it  comes  to  small 
projects  and  the  due  diligence  that 
should  be  applied  to  them,”  says  Margo 
Visitacion,  an  analyst  at  Cambridge, 
Mass.-based  Forrester  Research  Inc. 

With  small  projects,  IT  project  man¬ 
agers  often  spend  less  time  on  critical 


areas  such  as  testing  and  quality  assur¬ 
ance,  says  Visitacion.  And  even  if  IT 
departments  have  fairly  mature  project 
management  disciplines  in  place,  “they 
apply  the  practices,  but  the  rigor  goes 
down,”  she  says. 

Other  tasks  that  IT  managers  tend 
to  downplay  on  small  projects  include 
documenting  the  business  objectives, 
defining  requirements  and  managing 
changes,  consultants  say. 

While  individual  small  projects  may 
seem  less  significant,  they  add  up.  This 
year,  for  example,  the  U.S.  Food  and 
Drug  Administration  has  28  projects  it 
defines  as  “major”  on  tap  that  cost  at 


least  $5  million  per  year  or  $20  million 
over  the  life  of  the  project.  But  the  50 
to  60  “nonmajor”  projects  in  the  pipe¬ 
line  this  year  represent  $40  million  of 
the  agency’s  $200  million  IT  project 
budget,  says  Rod  Bond,  director  of 
strategy  and  planning  at  the  FDA  in 
Rockville,  Md. 

What  to  Keep 

Project  managers  understand  that  they 
can  be  more  flexible  with  small  proj¬ 
ects  but  critical  requirements  remain. 

At  Capital  One  Financial  Corp., 
effective  small-project  management 
starts  with  defining  the  criteria  for 
a  small  project  —  those  valued  at 
$50,000  or  less  —  and  establishing  a  set 
of  requirements  that  have  to  be  met. 

For  instance,  the  manager  of  a  small 
project  at  McLean,  Va.-based  Capital 
One  will  place  greater  emphasis  on 
how  changes  directly  affect  end  users 
and  focus  less  on  technical  change 
management  issues,  says  Ray  Frigo, 
vice  president  of  corporate  technology 
management  at  the  credit  card  issuer. 

Since  it  began  refining  its  project  de¬ 
livery  approach  three  years  ago,  Capi¬ 
tal  One  has  scaled  back  documentation 
requirements  for  smaller  projects  so 
they  don’t  become  too  cumbersome  to 
manage,  says  Frigo.  The  tailored  small- 
project  methodology  has  helped  the 
company  complete  projects  10%  to  15% 
faster  this  year,  he  says. 

The  FDA  uses  IT  portfolio  manage¬ 
ment  software  from  Portland,  Ore.- 
based  ProSight  Inc.  to  help  ensure  that 
small  projects  go  through  much  of  the 
rigor  that  bigger  projects  do.  Project 
managers  design  a  work  breakdown 
schedule  and  a  budget  plan  for  each 
phase  of  every  project,  says  Bond. 

What  to  Drop 

But  other  big-project  requirements, 
such  as  documenting  each  step,  can  be 
waived.  “For  a  $25,000  project,  you’d 
spend  more  time  documenting  than 
you  would  building,”  Bond  explains. 

At  Russell/Mellon  Analytical  Ser¬ 
vices  LLC,  managers  prioritize  and 
rank  projects  of  all  sizes  with  the  help 
of  a  project  management  office  (PMO) 
that  was  created  four  years  ago,  says 
Tammy  Reuter,  manager  of  strategic 
initiatives  at  the  Tacoma,  Wash.- 
based  provider  of  investment 
analysis  services. 

The  PMO  mandates  that  project 
managers  develop  a  business  case  for 
each  effort,  regardless  of  size.  “We 
want  to  make  sure  that  the  smaller 
projects  we  pick  are  the  most  critical,” 
says  Reuter,  whose  group  uses  portfo¬ 
lio  management  software  from  Belle- 


COMPUTERWORLO  August  30, 2004 


-  Establish  criteria  for  small  proj¬ 
ects,  including  duration  and  dollar 
amounts. 


-  Create  a  standard  small-project 
methodology. 

-  Monitor  projects,  even  if  it’s  done 
via  e-mail  or  spreadsheets. 

-  Consider  setting  aside  a  budget 
specifically  for  small  projects  so 
that  project  sponsors  don’t  have  to 
compete  with  large  projects  for 
funding  and  prioritization. 

-  Don’t  take  shortcuts.  It  could 
cost  you  down  the  road. 


vue,  Wash.-based  Pacific  Edge  Soft¬ 
ware  Inc. 

But  certain  efforts  don’t  meet  the 
threshold  for  project  rigor.  For  exam¬ 
ple,  if  the  company  has  a  $20,000  soft¬ 
ware  enhancement  to  complete,  “we 
don’t  do  much  management  of  that 
other  than  determining  which  tweaks 
will  be  done  first,”  Reuter  says. 

A  business  case  also  has  to  be  made 
for  projects  of  all  sizes  at  Brown  Broth¬ 
ers  Harriman  &  Co.,  a  private  bank  in 
New  York.  The  difference  is  that  a 
smaller  project  might  not  require  the 
same  amount  of  detail.  “Maybe  a  two- 
page  business-requirement  document 
instead  of  a  50-page  document,”  says 
Rick  Berk,  the  bank’s  CIO. 

The  bank’s  senior  management 
monitors  all  projects  using  a  combina¬ 
tion  of  weekly  and  monthly  reports 
developed  with  portfolio  management 
software  from  Redwood  City,  Calif.- 
based  Niku  Corp. 

Large  projects  still  command  more 
quality  assurance  staffers  than  small 
projects,  Berk  says.  But  to  ensure  that 
smaller  projects  are  held  to  a  consis¬ 
tent  standard,  the  bank’s  IT  staff  has 
written  test  scripts  for  them.  That  en¬ 
ables  the  bank  to  perform  faster  and 
more  automated  regression  testing 
that’s  “less  of  a  burden  for  smaller 
projects,”  says  Berk. 

IT  shops  vary  in  their  approach  to 
small  projects,  but  Forrester’s  Visita¬ 
cion  says  smart  project  managers 
agree  on  one  thing:  “You  can  scale 
down  the  rigor,  but  you  can’t  throw 
away  the  requirements.”  ©  48650 


CHECKING  OUT  CMM 

CMM:  The  Capability  Maturity  Model  can  add  rigor 
to  projects  of  any  size: 

OQuickLink  48652 

www.computerworld.com 


f] 


Middleware  is  Everywhere.  Can  you  see  it? 


&  !M£0mF& 

"U  V*'C*s;. *  •*•  *^  j*eK 


$41 :tf 


o 

DB2. 

Key 

MIDDLEWARE  IS  IBM  SOFTWARE.  Fans,  broadcasters, 
even  players,  are  accessing  every  shot  at  PGA  TOUR® 
events  online  -  in  real  time.  The  scalable  multiplatform 
technology  of  IBM  DB2  integrates  and  manages 
information,  allowing  SHOTLink,  the  PGA  TOUR’s  ball¬ 
following  technology,  to  uplink  and  downlink  every  shot, 
run  all  the  numbers  and  tell  the  entire  story  -  hole  by  hole. 

1.  Player  attempts  30-foot  chip. 

2.  Operator  measures  distance. 

3.  Stats  entered  into  PDA. 

4.  SHOTLink  truck  transmits  data. 

5.  Broadcaster  broadcasts  a  “birdie!” 

Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/information 

DEMAND  BUSINESS' 

& 


38  COMPUTERWORLD  August  30, 2004 


MANAGEMENT 


GARY  J.  RUE 

•:  Database  administrator 

Employer:  Commonwealth  of 
Kentucky 

Years  in  IT:  32 

Years  in  current  specialty:  31 


What  is  a  database  administrator? 

Someone  who  maintains  and  supports 
the  database  engine.  In  database  ad¬ 
ministration,  there  are  the  people  on 
the  design  and  architecting  of  the  data¬ 
base  —  the  logical  side  —  and  then 
there’s  the  physical  component,  where 
we  take  the  logical  and  make  it  into  the 
physical  and  administer  the  database 
after  it’s  up  and  running.  The  area  that 
I  manage  is  more  on  the  production 
and  physical  side  of  database  support. 

What  is  the  most  important  contribution 
you  make,  and  how  do  you  make  it?  Our 

most  important  contribution  is  to  keep 
the  database  running.  It’s  an  on-call 
function;  you  never  know  what  might 
happen.  Half  the  branch  was  up  all 
night  last  night  restoring  a  database  be¬ 
cause  of  a  failure.  Data  recovery  is  very 
important,  and  so  is  performance  tun¬ 
ing  and  problem  solving.  In  IT,  you  tend 
to  start  at  the  back  end  and  work  out  to 
see  where  the  problem  lies,  so  general¬ 
ly,  we’re  one  of  the  first  areas  that  will 
be  contacted  when  a  problem  occurs. 

What  is  the  most  important  IT  skill  or 
aptitude  you  need  to  do  your  job?  We 

need  to  understand  how  the  database 
engine  works.  We  need  to  understand 
the  technical  components  of  the  appli¬ 
cation  environment,  the  processes 
within  the  environment  and  the  rela¬ 
tionships  of  all  the  people  surrounding 
the  environment.  There’s  science,  but 
there’s  art  as  well. 

What  is  the  most  important  “soft”  skill  or 
personality  characteristic  you  need  to  do 
your  job?  We  have  to  be  good  sounding 
boards.  We  have  to  help  others  identify 
and  solve  their  own  problems.  They  tell 
us  what  they  think  is  wrong,  but  we  have 
to  get  them  to  see  outside  of  where  they 
think  the  problem  is,  because  if  they 
really  knew,  they  wouldn’t  be  talking  to 
us  in  the  first  place.  A  good  database 
administrator  has  to  see  the  relation¬ 
ships  among  the  technology  pieces,  the 
people,  the  systems.  We  have  to  see  the 
bigger  picture  and  relate  it.  Sometimes 
we  have  to  take  a  very  technical  piece 


me  Thrill 

Of  Crisis 


DBAs  are  often  the 
last  to  be  involved  in 
planning  but  the  first  to 
be  called  when  things  go  wrong. 


WHO’S 
WHO  IT 


THIS  IS  THE  FIRST  IN  A  PERIODIC  SERIES  EXPLORING  HOW  IT  PEOPLE  SEE  THEIR  JOBS. 


and  translate  it  to  people  at  all  levels  of 
technical  knowledge.  That’s  hard  to  do. 

What  is  the  biggest  misconception  about 
what  you  do?  We’re  a  very  tactical 
group  —  we  have  to  be.  But  there’s  a 
strategic  part  of  what  we  do  so  we  can 
apply  the  tactical  parts  appropriately. 
For  example,  a  developer  says,  “Create 
these  tables.”  But  for  us  to  really  do  a 
good  job,  we  need  to  know  why.  We 
need  to  know  how  and  when  those 


tables  are  going  to  be  accessed.  We 
need  to  understand  the  system  so  we 
can  apply  appropriate  security.  We  also 
have  to  understand  what  type  of  data 
recovery  scenarios  we  need  to  address, 
how  and  when  to  do  the  backups  and 
where  they  will  be  stored.  And  we 
need  to  go  through  all  types  of  scenar¬ 
ios  to  adequately  recover  that  database. 

What  do  you  like  best  about  your  job?  The 

people  we  work  with.  The  systems  peo- 


www.computerworld.com 


pie,  developers  —  they’re  all  problem 
solvers.  They’re  all  smart,  creative  IT 
people.  And  being  in  support,  a  crisis  is 
always  just  around  the  corner.  I  like  the 
thrill  of  the  crisis.  I  like  being  put  on  the 
spot  to  find  a  way  to  solve  a  problem. 

What  do  you  like  least?  I  don’t  like  to 
take  care  of  problems  that,  if  I’d  gotten 
enough  information  upfront  or  the 
right  information,  we  could  have  dealt 
with  it  then.  I  don’t  like  to  put  some¬ 
thing  in  production  and  then  have  to 
fix  it  because  future  possibilities  hadn’t 
been  considered. 

What  should  IT  people  know  about  your 
role?  Today’s  developers  have  data¬ 
bases  on  their  desktops,  so  they  think 
they’re  mini-DBAs.  When  we  get  in¬ 
volved,  it’s  always  after  the  implemen¬ 
tation.  Lots  of  issues  could  have  been 
addressed  if  we  had  been  involved  ear¬ 
lier  in  the  development  process.  Also, 
we  do  have  a  recovery  role,  and  we 
should  be  asked  about  the  recovery 
possibilities  when  a  database  goes 
down.  IT  people  sometimes  think  they 
know  how  to  recover,  so  generally  we 
get  brought  into  it  because  they  have 
recovered  incorrectly. 

What  should  business  people  know  about 
your  role?  Business  people  think  IT 
can  do  anything,  but  they  need  to  know 
that  there  is  a  cost  associated,  and 
sometimes  the  cost  is  too  high  to  im¬ 
plement  certain  features.  There  are 
still  priorities  you  have  to  set. 

What  would  enable  you  to  do  your  job 
better?  Having  more  database  tools 
and  early  interaction  during  the  devel¬ 
opment  process. 

If  you  were  not  a  data  architect,  what 
would  you  be?  A  detective.  Trying  to 
dig  information  out  of  people,  the  abili¬ 
ty  to  look  at  disparate  pieces  of  infor¬ 
mation  and  apply  them  appropriately 
to  determine  how  an  event  happened 
—  you  have  to  be  a  little  bit  of  a  detec¬ 
tive  as  a  DBA. 

How  does  the  future  look  for  your  role? 

I  think  of  us  as  the  hub.  The  business 
user,  the  developer,  the  operations  per¬ 
son,  the  systems  person  —  they  all  re¬ 
late  to  the  database  in  some  way.  Our 
job  changes  slightly  with  new  technol¬ 
ogy,  but  I  think  a  DBA  will  be  a  very, 
very  important  role  for  years  to  come. 
And  besides,  everybody  needs  some¬ 
one  to  point  the  finger  at.  ©  48695 


Interview  by  Kathleen  Melymuka. 

Rue  can  be  contacted  at  gary.rue@ky.gov. 


www.computerworld.com 


MANAGEMENT 


COMPUTERWORLD  August  30. 2004 


37 


n  From  FT 
Governance 

To  I  lacking 


Recent  man¬ 
agement  books 
provide  tips 
on  IT  gover¬ 
nance,  CIO 
survival,  agile 
project  man¬ 
agement  and 
understanding 
hackers. 


IT  Governance:  How  Top 
Performers  Manage  IT 
Decision  Rights  for  Superior 
Results,  by  Peter  Weill  and  Jeanne 
W.  Ross  (Harvard  Business  School 
Press,  2004;  269 pages,  $35). 

IT  governance  is  a  pressing 
issue  these  days,  particularly 
since  technology 
spending  accounts  for 
up  to  half  of  all  capital 
expenditures  at  many 
companies.  But  few 
managers  can  accu¬ 
rately  describe  IT  governance 
within  their  companies,  much 
less  quantify  the  impact  of 
good  governance  on  their  bot¬ 
tom  lines. 

Weill  and  Ross,  research  sci¬ 
entists  at  the  Center  for  Infor¬ 
mation  Systems  Research  at 
MIT’s  Sloan  School  of  Man¬ 
agement,  do  just  that  and 
more.  For  in¬ 
stance,  a  CISR 
study  of  256 
global  compa¬ 
nies  reveals  that 
the  profits  of 
companies  with 
top-notch  IT 
governance 
practices  are 
20%  higher  than 
those  of  compa¬ 
nies  with  poor 
IT  governance. 

More  impor¬ 
tant,  the  authors 
thoroughly  de¬ 
scribe  what  IT 
governance  is, 
classify  the  ap¬ 
proaches  used  to 
govern  IT  and 
offer  advice  on 
how  to  set  up  an 


IT  governance  committee. 

While  the  authors  acknowl¬ 
edge  that  there  is  no  one-size- 
fits-all  approach  to  effective 
IT  governance,  their  research 
Finds  that  companies  that  are 
focused  on  either  profits  or 
growth  tend  to  have  similar 
governance  models. 

The  book  is  aimed 
at  for-profit  compa¬ 
nies,  but  it  has  a  chap¬ 
ter  devoted  to  govern¬ 
ment  agencies  and 
not-for-profits.  This  is  highly 
recommended  reading  for 
anyone  who’s  struggling  with 
these  issues. 


Agile  Project  Management: 
Creating  Innovative  Products, 

by  Jim  Highsmith  (Addison-Wesley, 
2004; 277 pages,  $34.95).  Al¬ 
though  agile  software  devel¬ 
opment  has  been  practiced 
for  several  years,  many  com¬ 
panies  continue  to  be  ham¬ 
pered  by  process-laden,  top- 
down  project  management 
approaches.  Enter  agile  proj¬ 
ect  management,  a  more 
responsive  and  flexible  ap¬ 
proach  to  project  manage¬ 
ment.  This  approach  places 
more  authority  in  the  hands  of 
project  leaders  and  line  work¬ 
ers  who  are  doing  the  execut¬ 
ing  while  concentrating  on  de¬ 
livering  customer  value. 

Don’t  assume  that  agile 
project  management  is  “PM 
lite.”  In  Highsmith’s  view, 
agile  project  management 
doesn’t  dismiss  the  impor¬ 
tance  of  effective  quality  as¬ 
surance,  documentation  or 
testing,  but  it  does  de-empha- 


Agile  Project 
Management 


Jim  Highsmith 


size  them  as  core  principles. 

Instead,  Highsmith  effec¬ 
tively  cites  forward-thinking 
project  management  princi¬ 
ples  that  have  been  espoused 
by  his  peers  and  pulls  them 
into  a  cohesive,  usable  ap¬ 
proach.  He  also  goes  to  great 
lengths  to  explore  the  single 
most  critical  component  of  ef¬ 
fective  project  management: 
people. 


CIO  Survival  Guide:  The 
Roles  and  Responsibilities  of 
the  Chief  Information  Officer. 

by  Karl  D.  Schubert  (John  Wiley  & 
Sons,  2004;  294  pages,  $45).  This 
up-to-date  how-to  book  is 
useful  for  seasoned  CIOs  as 
well  as  newcomers  who  have 
recently  transitioned  into 
the  role. 

Schubert,  a  former  chief 
technical  officer  at  Dell  Inc. 
who’s  currently  chief  operat¬ 
ing  officer  at  network  storage 
provider  Zambeel  Inc.,  offers 
readers  a  logical  approach  to 
the  CIO’s  role  and  challenges, 
including  tips  on  building  re¬ 
lationships  with  company  ex¬ 
ecutives,  business  partners 
and  other  key  constituents. 

Particularly  useful  are  check¬ 


lists  such  as  “Ten  Questions 
the  CIO  Must  Ask  the  CEO.” 

Schubert’s  work  draws  upon 
insights  from  several  leading 
management  gurus,  including 
Harvard  Business  School’s 
Clayton  M.  Christensen  and 
John  Seely  Brown.  This  book 
is  a  good  read  for  any  CIO 
i  who’s  trying  to  thrive  or  sim- 
!  ply  survive. 


Know  Your  Enemy:  Learning 
About  Security  Threats, 

by  The  Honeynet  Project  (Addison- 
Wesley,  2004;  768 pages,  $49.99). 
Founded  in  October  1999, 

The  Honeynet  Project  (www. 
honeynet.org )  is  a  nonprofit 
research  organization  of  secu¬ 
rity  professionals  who  built  a 
computer  network,  wired  it 
with  sensors,  put  it  up  on  the 
Internet  and  recorded  what 


happened.  (The  actual  IP  ad¬ 
dress  isn’t  published  and 
changes  regularly.)  Hackers’ 
activities  are  recorded  as  they 
occur:  how  they  try  to  break 
in,  when  they’re  successful 
and  what  they  do  once  they 
break  in. 

This  is  a  fairly  technical  read 
with  quite  a  bit  of  information 
about  how  honeynets  work  and 
what  goes  into  both  Unix  and 
Windows  computer  forensics. 
But  the  authors  also  provide  a 
detailed  sociological  analysis 
of  the  white-hat  and  black-hat 
hacker  communities,  includ¬ 
ing  an  extensive  examination 
of  their  motives.  ©  48699 

—  Thomas  Hoffman 


MORE  REVIEWS 

Check  out  previous  book  reviews  on 
our  Web  site: 

QuickLink  a2240 
www.computerworld.com 


BOOK  Mi 
REVIEWS 


33 


COMPUTERWORLD  August  30, 2004 


MANAGEMENT 


www.computerworld.com 


CXO  Names  CTO 


ALGK  BATRA  has  been  named 
chief  technology  officer  at  CXO 
Systems  in  Waltham,  Mass.  In  his 
previous  role  as  vice  president  of 
engineering,  Batra  led  the  devel¬ 
opment  of  the  company’s  man¬ 
agement  dashboard  products.  He 
co-founded  Dashboard  Systems, 
which  is  now  CXO  Systems. 


Transplace  Picks 
Cashman  for  CTO 

ROY  CASHMAN  has  joined  Trans¬ 
place  Inc.  as  CTO.  Plano,  Texas- 
based  Transplace  is  a  transporta¬ 
tion  logistics  management  pro¬ 
vider.  Previously,  Cashman  was 
CIO  at  Ruan  Transportation  Man¬ 
agement  Systems. 


Carver  to  Head  IT 
Unit  at  Dana  Corp. 

BRUCE  C.  CARVER  is  now  CIO  at 
Dana  Corp.,  an  automotive  prod¬ 
ucts  manufacturer  in  Toledo, 

Ohio.  Previously,  Carver  was  divi¬ 
sion  CIO  for  PepsiCo  Beverages 
and  Foods,  a  unit  of  PepsiCo  Inc., 
and  CIO  at  The  Reynolds  and 
Reynolds  Co.,  a  provider  of  auto¬ 
motive  software. 


Certoma  to  Lead  IT 
At  Wachovia  Unit 

SUSAN  CERTOMA  has  joined  Char¬ 
lotte  N.C.-based  Wachovia  Corp. 
as  CIO  of  the  company’s  corpo¬ 
rate  and  investment  bank.  Previ¬ 
ously,  she  was  a  vice  president  in 
the  global  sales  technology  orga¬ 
nization  at  Goldman  Sachs  &  Co. 


Holeman  Moves 
To  Sentient  Jet 

DAVID  HOLEMAN  has  been  named 
vice  president  of  IT  at  Sentient  Jet 
Inc.,  a  Norwell,  Mass.-based  pri¬ 
vate  jet  service.  Holeman  will  be 
responsible  for  specialty  technol¬ 
ogy  as  well  as  for  CRM  and  call 
center  technology.  He  was  previ¬ 
ously  CIO  at  Monitor  Group  in 
Cambridge,  Mass. 


GOPAL  K.  KAPUR 


Intelligent 

Disobedience 


DISCUSSIONS  with  project  managers  about 
the  key  causes  of  failed  and  challenged  proj¬ 
ects  always  raise  two  primary  issues:  half- 
baked  or  harebrained  ideas  becoming  proj¬ 
ects,  and  excessive  scope  creep. 

Traditionally,  senior  management  is  charged  with 
conceiving  ideas  that  will  drive  the  organization  to¬ 


ward  profitability  and  in¬ 
dustry  leadership.  Hence, 
there  is  immense  pressure 
on  executives  to  deliver  in¬ 
novative  ideas  that  can  be 
turned  into  products  and 
services  for  profit  and 
competitive  advantage.  Un¬ 
fortunately,  these  visions 
are  often  intertwined  with 
any  number  of  half-baked 
and,  at  times,  harebrained 
ideas.  When  half-baked 
and  harebrained  ideas  get 
communicated  to  them, 
many  project  managers 
don’t  object  because  of  a 
culture  of  not  questioning 
the  senior  people.  The  gen¬ 
eral  thinking  is,  “How  could  they  be 
wrong?” 

Another  big  contributor  to  failed 
and  challenged  projects  is  the  in¬ 
evitable  scope  creep.  We  all  know  that 
at  times  customers  can  be  unreason¬ 
able  and  unrealistic  in  their  expecta¬ 
tions,  but  they’re  also  subject  to  exter¬ 
nal  pressures  they  can’t  control  — 
government  regulations,  competitive 
positioning,  emerging  opportunities 
and  the  classic  “silver  bullet”  syn¬ 
drome,  also  known  as  Management  by 
Magazine.  (This  occurs  when  the  cus¬ 
tomer  reads  an  article  on  an  airplane 
while  35,000  feet  over  Kansas  and 
forms  a  new  vision.) 

But  forcing  the  team  to  agree  to 
continuous  scope  creep  is  clearly  not 
the  solution.  And  you  get  hit  with  a 
double  whammy  when  projects  are 
built  around  half-baked  ideas.  A  half- 


baked  idea  that  turns  into  a 
project  with  extensive 
scope  creep  is  a  nightmare. 

What  can  project  man¬ 
agers  do  to  minimize  these 
problems?  Simply  stated: 
Learn  to  say  no. 

Of  course,  project  man¬ 
agers  may  feel  that  they 
don’t  have  the  ability  or 
wherewithal  to  say  no  and 
that  their  only  option  is  to 
do  as  they’re  told,  even 
though  they  know  that  the 
outcome  may  harm  the  or¬ 
ganization.  This  begrudg¬ 
ing  compliance  is  an  unfor¬ 
tunate  attitude  in  any  cir¬ 
cumstance.  In  the  extreme 
case,  it  can  lead  to  disaster. 

This  is  where  the  concept  of  intelli¬ 
gent  disobedience  comes  into  play.  In¬ 
telligent  disobedience  is  a  trait  clearly 
illustrated  by  guide  dogs  for  the  blind: 
At  an  intersection,  based  on  traffic 
sounds  and  a  general  sense  of  safety, 
the  blind  person  initiates  the  move  to 
cross  the  street,  giving  a  signal  to  the 
dog.  If  traffic  is  blocking  the  cross¬ 
walk,  however,  the  guide  dog  will  dis¬ 
obey  the  move-forward  command.  In 
guide-dog  training  lingo,  intelligent 
disobedience  is  the  dog’s  response 
when  it  senses  that  the  path  ahead  is 
dangerous.  It  disobeys  even  though 
the  owner  wants  to  proceed. 

Now  consider  a  different  scenario: 
The  dog  disobeys  the  owner’s  com¬ 
mand  because  it  sees  traffic  blocking 
the  intersection.  The  dog’s  owner  pun¬ 
ishes  the  dog  for  its  disobedience  until 


gopal  K.  Kapur  is  presi¬ 
dent  of  the  Center  for 
Project  Management  in 
San  Ramon,  Calif.,  and 
author  of  Project  Man¬ 
agement  for  Information, 
Technology,  Business 
and  Certification  (Pren¬ 
tice  Hall,  2005). 

Contact  him  at 
gkapur@center4pm.com. 


the  dog  finally  proceeds.  You  can 
imagine  the  consequences. 

It’s  important  to  note  that  dog  own¬ 
ers  are  trained  to  trust  their  guide 
dogs  because  the  two  have  to  work  as 
a  team  for  the  protection  and  safety  of 
the  owner. 

The  essence  of  the  intelligent  disobe¬ 
dience  behavior  as  it  applies  to  project 
managers  is  to  say  a  firm  “no”  to  the 
demands  of  executives  and  customers 
when  such  demands  will  put  the  proj¬ 
ect,  and  hence  the  organization,  in 
harm’s  way.  Humans  are  supposed  to 
be  smarter  than  dogs,  but  it’s  amazing 
how  difficult  it  is  to  teach  humans  to 
exercise  intelligent  disobedience. 

Intelligent  disobedience  requires 
empowerment  and  trust.  It’s  important 
that  project  managers  be  well  trained 
in  reading  the  danger  signals  and  em¬ 
powered  to  push  back  when  they  be¬ 
lieve  that  a  proposed  project  will  put 
the  organization  in  harm’s  way  or  that 
the  requested  scope  creep  will  create 
undue  risk.  Project  sponsors  and  cus¬ 
tomers  have  to  learn  to  trust  their 
project  managers  to  do  the  right  thing. 

Unfortunately,  project  managers 
can’t  change  the  culture  on  their  own 
because  many  lack  the  political  chips 
and  the  skill  to  negotiate  with  over¬ 
bearing  executives  and  unreasonable 
customers.  They  need  the  sponsor’s 
help  and  support. 

For  intelligent  disobedience  to  be¬ 
come  accepted,  sponsors  must  work  to 
establish  an  environment  of  open  and 
forthright  communication  with  trust 
and  respect  for  their  project  managers. 

Whether  project  managers  react 
with  intelligent  disobedience  or  be¬ 
grudging  compliance  largely  depends 
on  the  organization’s  culture.  Are  proj¬ 
ect  managers  in  your  organization  en¬ 
couraged  to  practice  intelligent  dis¬ 
obedience?  O  48678 


WANT  OUR  OPINION? 

OFor  more  columns  and  links  to  our  archives,  go  to 

www.computerworld.com/opinions 


Got  Questions  About 
Network  Consolidation? 


Computerworld’s  IT  Executive  Summit  Has  the  Answers 


If  you’re  an  IT  executive*  in  an  end-user 
organization,  apply  to  attend  Computerworld’s 
upcoming  complimentary  half-day  summit 

on  Network  Consolidation. 

CIOs  and  senior  IT  executives  are  finding 
that  consolidating  high-performance  networks 
can  play  a  key  role  in  improving  business 
application  performance  while  significantly 
reducing  operational  costs. 

The  proliferation  of  network  capacity  and 
related  storage  and  server  infrastructure 
presents  a  daunting  challenge  for  today’s 
enterprises,  many  of  which  are  positioning 
themselves  for  growth  yet  still  seeking  to 
reduce  IT  costs  where  feasible. 

By  leveraging  the  knowledge  of  industry 
experts  and  the  real-world  experience  and 
advice  of  your  IT  peers,  this  IT  Executive 
Summit  will  provide  an  overview  of  effective 
strategies  for  consolidating  and  connecting 
networks  and  data  center  applications. 

*  Complimentary  registration  is  restricted  to 
qualified  IT  executives  only. 

Apply  for  registration  today 

For  more  information  or  to  apply,  visit 
www.itexecutivesummit.com/nc 


Streamlining  Networks  and  Data  Centers: 

The  Business  Benefits  of  Consolidation 

Dallas  •  September  22,  2004 

Renaissance  Dallas  •  2222  Stemmons  Freeway  •  Grand  Ballroom 


7:30am  to  8:00am  Registration  and  Networking  Breakfast 


8:00am  to  8:15am 


8:15am  to  8:45am 


8:45am  to  9:15am 


Rebuilding  the  IT  Foundation 

Maryfran  Johnson,  Editor  in  Chief,  Computerworld 

Consolidation  and  the  Data  Center: 
Boosting  Business  Performance 
and  Application  Availability 

Richard  Villars,  Vice  President,  Storage  Systems 
Research,  I  DC 

User  Case  Study  —  Hilton  Hotels: 
Considering  the  Next  Generation  Network 

Damien  Bean,  Vice  President,  Corporate  Systems, 
Hilton  Hotels 


9:15am  to  9:45am  User  Case  Study  —  MasterCard  International 

Jerry  McElhatton,  Senior  Executive  Vice  President, 

Global  Technology  and  Operations,  MasterCard  International 

9:45am  to  10:15am  Refreshment  and  Networking  Break 


10:15am  to  10:45am  Infrastructure  Makeover: 

Moving  the  U.S.  Air  Force  Toward 
Network-Centric  Services  Delivery 

Brigadier  General  Brad  Butler,  Deputy  Chief  Information 
Officer,  U.S.  Air  Force 


10:45am  to  11:15am  Customer  Challenges  and  Solutions: 

Real-Life  Scenarios  Connecting  Data 
Centers  Over  Distance 

Steve  Adolph,  CTO,  Enterprise  Solutions  Group,  CIENA 

11:15am  to  Noon  Panel:  Overcoming  Management  Barriers  — 

Making  the  Case  for  Consolidation 


Selected 

speakers 

include: 


Maryfran  Johnson 
Editor  in  Chief, 
Computerworld 


Brigadier  General 
Brad  Butler 
Deputy  Chief 
Information  Officer 
U.S.  Air  Force 


Jerry  McElhatton 
Senior  Executive 
Vice  President, 
Global  Technology 
and  Operations, 
MasterCard 
International 


Damien  Bean 
Vice  President, 
Corporate  Systems, 
Hilton  Hotels 


Noon 


Panel  Moderator:  Don  Tennant,  News  Editor,  Computerworld 

Panelists:  Damien  Bean,  Vice  President,  Corporate  Systems, 
Hilton  Hotels;  Frank  Enfanto,  Vice  President,  Operations 
Delivery  &  Information  Security,  Blue  Cross  Blue  Shield  of 
Massachusetts;  Steve  Goldman,  Director,  Network 
Architecture,  Chicago  Mercantile  Exchange;  Ron  Kifer, 

Vice  President,  Program  Management,  DHL  Express; 

Jerry  McElhatton,  Senior  Executive  Vice  President, 

Global  Technology  and  Operations,  MasterCard  International 

Program  Concludes 


Steve  Adolph 
CTO,  Enterprise 
Solutions  Group, 
CIENA 


Exclusively  sponsored  by: 


CIENA 


9  J  • 

•  •• 

•  •  •  • 

i  !  • 


COMPUTERWORLD 

IT  EXECUTIVE  SUMMIT 


NETWORK  CONSOLIDATION 


it  careers 


it  careers.com 


IT  PROFESSIONALS 

Senior  Manager,  Strategy  and  Operations 

(Glen  Mills,  Pennsylvania  and  other  locations  through  the  U.S.).  Lead 
sales  pursuits  and  execution  of  re-engineering  projects  from  conception 
to  final  delivery  in  the  area  of  strategy  and  operations  as  well  as  supply 
chain  and  procurement  assignments  for  clients.  Responsible  for  industry 
and  client  financial  and  strategic  analysis,  modeling  and  business  case 
development.  Responsible  for  New  Product  Development  Stage  Gate 
Processes,  strategic  procurement  and  sourcing,  advertising  effective¬ 
ness,  SAP  Process  design  and  configuration  and  Trade  Promotion 
Management  within  the  Consumer  Business  Industry.  Manage  perfor¬ 
mance  of  projects  including  identification  of  issues,  root-cause  analyses, 
the  structuring  of  solution  frameworks,  financial  analysis  and  modeling 
and  data  analysis.  Lead  vendor  discussions  and  negotiations,  and  act  as 
the  primary  interface  with  senior  client  executives.  Supervise  client 
change  management  programs,  including  enterprise-level  constructive 
communications.  Responsible  for  recruitment  of  engagement  teams, 
supervising  Consultants  at  various  levels,  providing  direction  to  the  team 
and  providing  feedback  on  their  performance.  Responsible  for  systems 
selection  and  implementation,  including  ERP,  e-sourcing  and  new  product 
development.  Create  tools,  frameworks  and  methodologies  to  develop 
intellectual  capital.  Responsible  for  trade  promotions  management  includ¬ 
ing  best  practices  and  supporting  technology. 

The  wage  offered  is  $135,000  per  year.  The  work  schedule  is  Monday- 
Friday,  9:00  am  to  5:00  pm.  The  minimum  requirements  are  as  follows: 
Bachelor's  degree  in  Business  Administration,  Operations,  Finance  or 
Management  +  7  years  of  experience  in  the  job  offered  or  7  years  of  expe¬ 
rience  as  a  Senior  Manager,  Manager.  Senior  Consultant,  Consultant, 
Account  Director,  Account  Manager,  Account  Executive  or  related  occu¬ 
pation.  Employer  will  regard  a  foreign  degree  to  be  equivalent  to  a  US 
Bachelor's  degree  as  determined  by  an  accredited  academic  credentials 
evaluation  service.  Related  experience  must  include  at  least  2  years  with 
Sales  and  Merchandising  Strategy  in  account  management,  SAP  process 
design  and  configuration,  Trade  Promotion  Management,  and  New 
Product  Development,  including  experience  with  the  Stage-Gate  process, 
strategic  sourcing  and  project  management  with  consumer  product  and 
retail  industry  segments  as  well  as  Consumer  Business  Strategy  and 
Operations. 

Please  send  your  resume,  referencing  Job  Order  Number  WEB448386  to 
the:  PA  Careeriink,  FLC  Unit,  235  W.  Chelten  Avenue,  Philadelphia,  PA 
19144.  EOE. 


IT  PROFESSIONALS 
Senior  Consultant 

(Glen  Mills,  Pennsylvania  and  other  locations  through  the  U.S.).  Perform 
accurate  analysis  and  effective  diagnosis  of  client  issues  and  manage 
day-to-day  client  relationships  and  project  teams.  Responsible  for  assist¬ 
ing  client  organizations  in  developing  roadmaps  to  establish  customer 
analytics  environment  and  support  business  growth.  Evaluate  the  existing 
customer  care  processes  including  Siebel  implementations  for  telecom¬ 
munications  industry  clients  and  define,  develop  and  deliver  training  pro¬ 
grams  to  enhance  user  acceptance.  Perform  business  process  reengi¬ 
neering,  strategic  planning  and  knowledge  management  related  to  devel¬ 
opment  and  implementation  of  new  business  and  system  processes. 
Define  systems  strategy,  develop  system  requirements,  administer  testing 
and  training,  and  define  support  procedures  for  systems  including  CRM 
systems  (Siebel),  and  application  portal  (Broadvision).  Identify  and  evalu¬ 
ate  control  structures,  especially  for  IT-enabled  processes.  This  includes 
identification  of  inadequate  practices,  testing  of  control  systems,  recom¬ 
mending  measures  for  improvement,  and  establishing  plans  for  ongoing 
monitoring.  Actively  evaluate  client’s  systems  in  relation  to  the  competitive 
landscape,  identify  efficiency  frontier  and  develop  reinforcing  activities 
and  capabilities  for  sustainable  competitive  advantage. 

The  wage  offered  is  $95,000  per  year.  The  work  schedule  is  Monday- 
Friday,  9:00  am  to  5:00  pm.  The  minimum  requirements  are  as  follows: 
Bachelor’s  degree  in  Computer  Science,  Engineering  (any).  Management 
Information  Systems  or  Business  Administration  +  2  years  of  experience 
in  the  job  offered  or  2  years  of  experience  as  a  Senior  Consultant, 
Consultant,  Systems  Analyst  or  related  occupation.  Related  experience 
must  include  at  least  two  years  of  consulting  experience  in  the  telecom¬ 
munications  industry  with  at  least  one  year  of  CRM  Systems  knowledge 
including  Siebel  development  and  Broadvision.  Please  send  your  resume, 
referencing  Job  Order  Number  WEB448348  to  the:  PA  Careeriink,  FLC 
Unit,  235  W.  Chelten  Avenue,  Philadelphia,  PA  19144.  EOE. 


Seeking  qualified  applicants  for 
the  following  positions  in  Mem¬ 
phis,  TN:  Senior  Business  Sys¬ 
tems  Analyst.  Develop  major 
applications  systems  require¬ 
ments,  testing  and  controls. 
Requirements:  Bachelor’s  de¬ 
gree  or  equivalent"  in  business, 
computer  science,  engineering, 
mathematics,  MIS  or  related 
field,  plus  5  years  of  experience 
in  systems  planning  and  design 
or  systems  development  and  int¬ 
egration.  Experience  with  main¬ 
frame  systems  support,  invoic¬ 
ing/revenue  testing,  and  writing 
and  executing  test  plans  and 
test  scripts  also  required.  "Mas¬ 
ter’s  degree  in  appropriate  field 
will  offset  2  years  of  general 
experience.  Submit  resumes  to 
David  Hanks,  Federal  Express 
Corporation,  3680  Hacks  Cross 
Road,  Bldg  H,  1st  Floor,  Mem¬ 
phis,  TN  38125.  EOE  M/F/DA/. 


Oracle  Clinical  Consultant  to 
plan,  design  study  in  Oracle 
Clinical  4.0;  develop  DCMs, 
remote  data  entry  screens,  DCIs 
etc;  design,  develop  validation 
procedures  using  PL/SQL  in 
Oracle  Clinical's  validation  mod¬ 
ule;  develop  SAS,  SQL  views 
using  TOAD,  SAS,  Oracle  Clin¬ 
ical;  perform  CRF  designing, 
database  building,  randomiza¬ 
tion,  query  resolution,  reporting, 
subject  randomization  algo¬ 
rithms  using  Oracle  Clinical, 
Normlab,  SAS,  SPSS,  Adobe 
Framemaker.  Require:  MS  in 
CS,  Computer  Engg  or  Statistics 
and  6  months  exp  in  Oracle  Clin¬ 
ical,  SAS.  Competitive  salary, 
F/T,  travel  involved.  Resumes 
to:  Scott  Bryant,  Judge  Tech¬ 
nical  Services,  Inc.  3  Davol 
Square,  Suite  3A,  Providence, 
Rl 02903. 


COMPUTER 

T&T  Solutions  seeks 
Software  Engineers,  Sr. 
Software  Engineers, 
Systems  Analyst,  Or¬ 
acle  Apps.,  technical 
consultants  etc.  Salary 
commensurate  w/edu- 
cation  &  exp.  Fax 
resume  to  (818)  676- 
1272  or  e-mail  to 
iobs@ttsus.com  c/o  HR 
Dept. 


Recognition  Algorithms  Dev 
Engineer  -  Recognition  problem 
classification  w/respect  to  real- 
life  images  &  analysis  of  system 
requirements.  Mathematical  for¬ 
malization  of  specific  recognition 
problems  using  Probability 
Theory,  Neural  Networks, 
Pattern  Recognition  & 
Metastroke  Theory.  Develop¬ 
ment  of  program  architecture  & 
interfaces.  Development  of  algo¬ 
rithms  of  statistical  data  analy¬ 
sis.  Image  processing  algo¬ 
rithms,  algorithm  &  SW  develop¬ 
ment  for  field  location  on  forms, 
form  removal,  document  struc¬ 
ture  analysis,  phrase  &  word 
segmentation.  Implementation 
of  algorithms  using  C/C++  & 
Assembler  in  actual  recognition 
products.  Tuning  &  customiza¬ 
tion  of  recognition  products  for 
specific  data  sets.  Optimization, 
support  &  improvement  of  the 
code  for  Win  &  UNIX  platforms. 
BS  Comp  Sci  or  related  field  + 
working  knowledge  of  Algo¬ 
rithms  development  &  imple¬ 
mentation;  Probability  Theory, 
Statistics,  Neural  Networks  and 
Metastroke  Theory;  Document 
analysis  for  handwriting  recogni¬ 
tion;  C/C++  &  Assembler.  $70k/ 
yr.  M-F.  40  hrs/wk.  Boulder.  CO. 
Must  have  proof  of  legal  author¬ 
ity  to  work  permanently  in  U.S. 
Application  by  resume  only  to 
Workforce  Development  Prog¬ 
rams,  PO  Box  46547.  Denver, 
CO  80202,  Ref  job# 
CO5088878 


SENIOR  SOFTWARE  ENGI¬ 
NEER.  Responsible  for  design  of 
back  end  products  (Service 
Monitor)  used  by  company's 
major  products.  Design  XML/COM 
property  set  based  communication 
architecture  between  back  end 
and  high  level  front  ends  using 
Visual  Basic  script.  Design  silent 
script  based  setup  program  for 
remote  deployment.  Design 
libraries,  programming  tools  and 
unit  testing  tools  for  Service 
Monitor  programming  environ¬ 
ments.  Supply  samples  and  pro¬ 
gramming  guidelines.  Responsible 
for  technical  lead  and  training 
with  Microsoft  technologies,  Visual 
Basic  and  Visual  C++  multitier 
applications  using  WIN32,  ATL, 
COM,  COM+  and  .NET. 
Responsible  for  WIN32  and  COM 
design  and  programming  techni¬ 
cal  support.  40  hrs/wk.  Bachelors 
degree  in  Computer  Science.  4 
yrs.  exp.  in  job  offered  or  4  yrs. 
related  exp.  in  software  engineer¬ 
ing  and/or  consulting. 
$101,008/yr.  Apply  at  the  nearest 
Employment  Security  Commission 
office  of  North  Carolina  or  submit 
resume  to  Employment  Security 
Commission,  742-F  East  Chatham 
Street.  Cary.  NC  27511.  J  O.  # 
NC5705907  and  DOT  code 
030.062-010.  All  resumes  must 
include  applicant's  Social 
Security  Number.  AD  paid  by 
an  Equal  Opportunity  Employer. 


SYSTEMS  ANALYST 
-  Udr.  sprvsn.  analyze 
usr.  telecomm,  reqs. 
to  install  &  improve 
syst.  Req:  BS  in  CS 
or  Comp.  Info.  Sys.  & 
fluency  in  Japanese  & 
English.  Resumes: 
Syscom  USA,  Inc.  55 
Broadway,  17th  Floor, 
NY,  NY  10006.  Attn: 
S.  Sato. 


Denso  Manufacturing  is  looking 
for  Process  Engineer  responsi¬ 
ble  for  heat  exchange  process 
introduction  (Evaporator  area) 
including  jig  specs,  control 
plans,  ergonomics,  leaks  & 
scrap  improvement.  Min  is  BS 
with  exp  in  XRD,  Unix.  Send 
resumes  to  One  Denso  Rd, 
Battle  Creek,  Ml  49015.  EOE. 

K&M  Softech  is  looking  for  pro¬ 
grammer/system  system,  soft¬ 
ware/project  engineers,  IT  pro¬ 
fessionals.  Both  entry  &  experi¬ 
enced  levels  needed  Some 
positions  require  travel.  Skills  in 
C/++,  VB.  Oracle,  SAP,  SQL, 
Java  are  plus.  Please  send 
resumes  to: 

Recruit@kmsoftech.com.  EOE. 


Systems  Analyst  II.  BS  in 
Comp.  Sci.  or  rel  field  +  2 
yrs  rel  exp,  incl  exp 
w/GAAP  principles,  insur¬ 
ance  &  mortgage  business 
concepts  &  calculations  & 
s/ware  dvlpmt  using 
Windows  or  Intranet/ 
Internet  platforms.  Demon¬ 
strated  oral  &  written  com¬ 
munication  skills.  Send 
applications  to  Tej  Dhawan, 
1601  -  48th  St.,  Ste.  220, 
West  Des  Moines,  IA 
50266. 


Software  Developer.  Under  sen¬ 
ior  supervision,  analyze,  design, 
implement  and  maintain  soft¬ 
ware  for  banks  in  mortgage  in¬ 
dustry  including  consulting  w/ 
financial  projects;  design  and 
model  databases  on  database 
servers;  and  develop  new  soft¬ 
ware  not  currently  existing  in  the 
industry.  Must  have  Bachelor's 
degree  in  Computer  Science, 
MIS  or  related,  1  year  experi¬ 
ence  in  job  offered  or  Software 
Engineer  or  related,  and  experi¬ 
ence  must  include  working  with 
Java,  Eclipse,  XML,  SWT/Jface, 
UML  and  Rational  Rose.  Send 
resume  to  Praxis  Technology 
Group,  LLC,  Attn:  Mark  Loomis, 
1500  NW  118th  St.,  Des  Moines, 
IA  50325. 


In-Venture  Soft  is  seeking  IT 
consultants  to  design  &  devel¬ 
op  applications  for  various  pro¬ 
jects.  Applicants  must  have 
BS/MS  with  solid  background 
in  Oracle,  WebSphere,  Java, 
EJB,  ASP.  We  offer  competitive 
wage  with  full  benefit.  Travel 
maybe  required.  Apply  at 
resume@ivsinc.net.  EOE. 

RouteOne,  a  joint  venture  dev¬ 
eloped  to  create  a  more  effi¬ 
cient  automotive  finance  pro¬ 
cess  for  dealers,  has  openings 
for  IT  professionals  to  develop 
Java  applications.  Qualified 
applicants  must  have  BS/MS 
with  IT  experience.  Please  con¬ 
tact  careers@routeone.com. 
No  calls.  EOE. 


LOOKING  FOR  A 


NEW 


IT  CAREER? 


CHECK  US  OUT 


WWWITCAREERS.COM 


Computerworld  •  InfoWorld  •  Network  World  •  August  30,  2004 


CW083004E/MW/W  1 


iTlcareers.com 


it  careers 


Programmer  Analysts  to  ana¬ 
lyze.  design,  test,  implement 
and  maintain  software  systems 
in  client  server  envir  using  C, 
Java,  HTML.  VB.  ORACLE.  MS 
Access,  etc  under  Windows. 
UNIX  OSs;  write  documentation 
to  describe  program  develop¬ 
ment  and  logic;  perform  onsite/ 
offsite  maintenance,  debugging, 
testing,  and  code  optimization. 
Require:  BS  or  foreign  equiv  in 
CS/Engineering  (any  branch) 
with  2  yrs  exp  in  IT  Competi¬ 
tive  salary,  F/T,  travel  involved. 
Resume  to  HR,  Ordusion  Tech¬ 
nologies,  Inc.,  3883  Rogers 
Bridge  Road,  Suite  504,  Duluth, 
GA  30097 


Sr  Database  Specialist.  North¬ 
ern  VA  and  unanticipated  client 
locations  in  the  U.S.,  needed  to 
install,  implmt.,  maintain  &  cus¬ 
tomize  DB2  on  OS/390,  Win¬ 
dows  and  UNIX  platforms.  Incl. 
related  ISV  program  products  & 
config.  of  SNA  &  IP  netwk'g 
between  platforms.  Provide  task 
mgmt.  to  d-base  specialists. 
Req.  B.S.  in  CS,  EE,  Comput¬ 
ing,  or  Math.  Must  have  8+  yrs  of 
work  exp.  in  job  or  as  a  DBA  & 
knowledge  of  DB2  internals, 
DB2  DDF,  BMC  tools,  DB2  tun- 
ing/design/security/backup  &  re¬ 
covery.  40  hr/wk.  OT  as  needed. 
Send  copy  of  ad  w/resume  to 
Networking  for  Future,  Inc.,  Attn: 
H.  Fatemi,  1420  Spring  Hill  Rd., 
Ste.  600,  McLean,  VA  22102. 


Software  Engineer- 
Applications 

Design  and  develop  software 
application  solutions  for  the  in¬ 
vestment  banking/financial,  tele¬ 
com  and  IT  Industries.  Must 
have  Masters  Degree  in  Compu¬ 
ter  Science  or  in  a  related  field  & 
2  yrs.  exp.  or  2yrs.  exp.  in  a 
related  position  w/ability  to  use: 
JavaScript,  Struts,  Lynx  Frame¬ 
work,  and  Pro'C.  40.0  hrs./wk 
8:00  AM  -6:00  PM. 

Applicants  send  cover  letter 
and  resume  to:  Cyber  Korp, 
lnc.,400  West  Lake  Street,  Suite 
216,  Roselle  IL  60172-3572, 

Attn:  HR  MGR 


Sr.  Systems  Analyst/Project  Mgr. 
needed  to  lead  analysis  of  client 
bus.  process/acctg.  require¬ 
ments  for  implement,  of  custom 
ERP  business/acctg.  software. 
Requires  degree  +  exper.  & 
Microsoft  Navision  certification. 
Exper  must  incl:  Gap-fit  anal, 
reporting;  Microsoft  C/SIDE  pro¬ 
gramming;  demonstrated  under¬ 
stand.  of  gen.  acctg.  proce¬ 
dures.  Based  in  Santa  Monica, 
CA  -  Travel  up  to  80%  to  client 
sites  in  N.  CA  &  S.  CA.  Send 
resume  to:  S.  Mauser,  Special¬ 
ists  in  Custom  Software,  2120 
Colorado  Ave.,  Suite  150,  Santa 
Monica,  CA  90404.  Must  be  able 
to  work  without  employer  spon¬ 
sorship. 


Principal  Software  Engineer:  Pri¬ 
mary  responsibility  for  the  devel¬ 
opment  of  networking  software. 
Responsible  for  functional  spec 
dev,  arch  design,  implementa¬ 
tion  and  verification.  MS  or  for¬ 
eign  equiv.  in  EE  or  CS  plus  5  yr. 
exp.  that  must  include  3  yr.  with 
one  or  more  network  protocols 
including  IP,  TCP,  ARP,  DHCP, 
DNS,  SNMP.and  firewall.  .  Must 
be  familiar  with  IP  QOS  proto¬ 
cols  and  RFCs.  Must  have  dev¬ 
elopment  exp.  with  Linux,  and  in 
C/C++.  Please  send  resume  to 
Ucentric  Systems,  2  Clock  Tow¬ 
er  Place,  Suite  550,  Maynard. 
MA  01754,  Attn  to  Pat  Riley. 


Sr.  Software  Developer 
needed  to  provide  solutions 
to  business  &  technical 
problems;  dsgn  &  dvlp 
applic  s/ware  using  Unix,  C, 
C++,  Java,  Oracle,  VB, 
UML,  TCP/IP  &  Win  NT; 
dsgn  &  dvlp  automation 
systms  on  client-server 
architecture  apply  OO  tech¬ 
niques.  Resume  to:  Global 
Consultants,  Attn:  Hireme, 
8800  Grand  Oaks  Circle, 
Ste  100.  Tampa,  FL  33637. 


Support  Mgr.  Dallas.  TX.  Man¬ 
age  team  of  prof,  support  con¬ 
sultants  &  provide  back  end 
support  in  deployment,  installa¬ 
tion  &  troubleshooting  of  Amtrix 
&  TSIB;  liaison  w/develop. 
team  in  integration,  stress  & 
load  testing  of  Amtrix  &  TSIB. 
Use  Weblogic,  Exceed,  AMTrix 
&  TSIB;  Oracle  8i  &  9i  on  Unix 
&  WinXX  OS.  Req:  BS  in  comp 
sci  &  1  yr  exp  AMTrix  integra¬ 
tion,  configuration,  support  & 
troubleshooting.  Resumes  to: 
M.  Williams,  Viewlocity,  Inc., 
3475  Piedmont  Road,  Suite 
1700,  Atlanta,  GA  30305. 


Software  Developer  -  Austin, 
TX.  Use  SI  corp  standard  dev 
tools  &  project  method  to  devel¬ 
op.  install  &  test  solutions  to 
specific  user  tech  &  bus.  prob¬ 
lems  within  context  of  SI  Bank 
products  using  Borland  Delphi  7. 
Req:  BS  comp  sci,  engg,  or 
related,  2  yrs  consultant  or 
engg.  &  knowledge  of  Delphi, 
java,  UML  design  tools.  ISS, 
SQL,  and  ClearCase.  Perm  US 
workers  only.  Resume  to  N. 
Green  (TX),  SI,  Inc.,  3500 
Lenox  Rd.,  Ste  200,  Atlanta.  GA 
30326 


COMPUTER  PROFESSIONALS 
Opportunities  for: 

•  SYSTEMS/BUSINESS/ 
PROGRAMMER  ANALYSTS 

•  PROCESS  CAPABILITY 
ANALYST 

•  QC  ANALYST 

•  WEB  ARCHITECTS/ 
DEVELOPERS 

•  SYSTEMS  ANALYSTS 

•  WEB  GRAPHIC  DESIGNERS 

•  NETWORK  ENGINEERS 

•  PROGRAMMER/ANALYSTS 

•  SOFTWARE  ENGINEERS 
SKILLS' 

•  COLD  FUSION  •  SPECTRA 

•  ORACLE  •  VISUAL  BASIC 
•VISUAL  C++  -SIEBEL-ASP 

•  COM.  DCOM  •  JSP  •  HTML 

•  JAVA.  JAVA  BEAN  •  EJB  JAVA 
SERVLETS  •  WEBSPHERE 

•  IBM  MQ  SERIES  •  XML. UML 

•  MTS  •  CLARIFY  •  PERL 

•  OBJECTPERL  •  SPYPERL 

•  SMALLTALK  •  PL/SQL 

•  VISUAL  AGE  •  COBOL.  SPL. 
UNIX 

Visit  our  website  @ 
www.computerhorizons.com 
Attractive  salaries  and  benefits. 
Please  forward  your  resume  to: 
H.R  Mgr.,  Computer  Horizons 
Corp..  49  Old  Bloomfield 
Avenue.  Mountain  Lakes.  New 
Jersey  07046-1495.  Call 
973-299-4000.  E-mail:  jobs@ 
computerhorizons.com.  An 
Equal  Opportunity  Employer  M/F. 


Chief  Information  Officer  position  in 
large  mulli-platform  data  center  responsi¬ 
ble  for  providing  leadership  to  high  perfor¬ 
mance  management  team  in  complex 
social  services  agency. 

Represents  agency  in  meetings  with  fed¬ 
eral,  state  and  legislative  officials. 
Requires  current  technical  experience 
and  demonstrated  expertise  supporting 
IBM  ES9000  MVS/ESA/IMS/DB2, 

UNISYS  A1 9  MCP/  DMSII, 
AlX/Unix/Orade,  and  LAN/Novell. 
Experience  with  internet  applications 
design  and  development,  desired. 
Background  and  experience  with  federal 
oversight  agencies  is  highly  desirable. 
Demonstrated  success  in  public  adminis¬ 
tration  with  associated  regulatory  and 
state  oversight  entities  highly  desirable. 
Requires  interaction  with  stakeholders 
and  external  interested  parties  regarding 
complex,  highly  visible  projects. 


tO*'OA  r»t  »*K  l.vv.' 'Jl  l>: 


CHILDREN 
&  FAMILIES 


Chief  Information  Officer 

Requires  effective  interaction  with  customers  and  developers  to 
ensure  the  successful  delivery  and  implementation  of  projects, 
updates  and  modifications  to  the  production  environment.  Must 
be  able  to  work  effectively  with  senior  departmental  managers 
as  well  as  executives  with  other  state  agencies  to  achieve 
smooth  and  timely  project  development  and  conversion  for 
clients.  Desire  strong  background  and  demonstrated  success  in 
deploying  productivity  tools  for  workforce  and  agency  process¬ 
es.  Responsible  for  charting  agency  strategic  direction  in 
client/server  and  distributed/decentralized  processing. 
Qualifications:  Excellent  organizational,  analytical,  writing  and 
public  speaking  skills  are  desired  A  bachelor's  degree  from  an 
accredited  college  or  university  and  progressively  responsible 
leadership  experience  in  analytical  and/or  technical  data  pro¬ 
cessing  fields.  Prefer  experience  in  a  managerial  capacity  for  a 
medium  to  large  data  center.  Experience  as  described  above 
can  substitute  on  a  year-for-year  basis  for  the  required  college 
education. 

Submit  resume  and/or  State  of  Florida  employment  appli¬ 
cation  to:  Jo  Moore,  Department  of  Children  &  Families 
Technology  Centre,  1940  North  Monroe  Street,  Suite  80, 
Tallahassee,  Florida  32399-0710;  FAX  (850)  487-8173; 
Jo_Moore@DCF.State.FL.US  DEADLINE:  5  P.M., 

September  8,  2004.  EEO/AA  Employer/Veterans  Preference 
Those  persons  who  require  special  accommodations  during  the 
selection  process,  should  call  Jo  Moore  at  (850)  487-8169. 


Software  Development  Manager 
-  provide  business  software  de¬ 
velopment  solutions  for  Fortune 
500  clients;  engage  in  business 
modeling,  analysis  &  design  of 
complex  software  applications; 
architect  &  manage  J2EE  solu¬ 
tions  for  clients  in  the  areas  of 
portals.  Content  Management 
and  Business  intelligence/Data 
Warehousing  using  Cognos 
ReportNet,  Crystal  Reports  &  J 
Reports;  lead  a  team  of  ana¬ 
lysts/engineers  in  the  design, 
development,  testing  &  deploy¬ 
ment  of  custom  Cognos  Re¬ 
portNet  on  IBM  Websphere  plat¬ 
form  using  J2EE;  implement  all 
Rational  tools  including  Requi¬ 
site  Pro,  XDE,  ClearCase  & 
Clearquest;  mentor  develop¬ 
ment  teams  in  technical  aspects 
of  J2EE,  ATG-Dynamo.  SAP, 
Cognos  &  Websphere.  Requires 
BS  (or  MS)  in  computer  science, 
information  systems  or  engi¬ 
neering  plus  5  YR  progressive 
exp.  (3  years  with  MS).  Email 
resumes  to  Command  Technolo¬ 
gies,  Inc.,  an  MTC  Technologies 
Company,  at: 

ddubinskas@commtechinc.com 


Prog/Analysts  to  analyze,  des¬ 
ign  software  appls  using  C, 
C++,  Compile  Tools,  Oracle, 
lnformix-4GL,  Informix  Online, 
SQL  Server,  OR  Java,  JSP, 
Servlets,  XML,  ASP,  Visual 
Basic,  EJB,  JavaScript,  HTML, 
DHTML  -  under  Windows,  UN¬ 
IX  OSs;  design  APIs  for  back¬ 
up/recovery  framework;  pro¬ 
vide  on  site  maintenance  sup¬ 
port  such  as  debugging,  modifi¬ 
cations,  fine  tuning  &  code  opti¬ 
mization.  Require:  BS  or  foreign 
equiv.  in  CS/Engg.(any  branch) 
&  2  yrs  of  exp.  in  IT.  F/T.  com¬ 
petitive  salary.  Travel  involved. 
Resumes  to:  HR,  Semafor 
Technologies,  Inc.,  3300,  Hol¬ 
comb  Bridge  Road,  Ste212, 
Norcross,  GA  30092. 


Computer  Programmer/ 
Analyst  wanted  by  IT 
company  located  in 
Southfield,  Ml.  Must 
have  B.S.  in  Computer 
Science  and  1  1/2  years 
exp.  Respond  to:  Atrient 
Technologies,  P.O.  Box 
250575,  West  Bloom¬ 
field,  Ml  48325. 


Software  Engineer-Applications. 
Sought  by  Englewood  Colorado 
consulting  company  to  work  in 
various  unanticipated  locations 
throughout  the  U.S.  Duties:  De¬ 
velop,  create  and  modify  gener¬ 
al  computer  applications  soft¬ 
ware  or  specialized  utility  pro¬ 
grams.  Analyze  user  needs  and 
develop  software  solutions.  De¬ 
sign  software  or  customize  soft¬ 
ware  for  client  use  with  the  aim 
of  optimizing  operational  effi¬ 
ciency.  Analyze  and  design  da¬ 
tabases  with  an  application 
area.  Use  of  Novell,  Visual  Bas¬ 
ic,  C++,  PowerBuilder,  Java, 
ASP,  PL/SQL,  SQL,  SQL  Server 
and  Windows  NT.  Reqs.  Mas¬ 
ters  or  equivalent  in  Computer 
Science,  Computer  Engineering, 
Engineering  (any  field)  or  relat¬ 
ed  field.  Plus  1  year  in  the  job  of¬ 
fered  or  1  year  in  a  related  occu¬ 
pation,  including  Programmer 
Analyst,  Systems  Engineer  or 
Software  Engineer.  Will  accept  a 
Bachelors  degree  plus  five 
years  of  progressive  experience 
in  the  field  or  related  occupation 
in  lieu  of  required  education  and 
experience.  $73,231 .00/year, 
40/hrs/wk,  8AM-5PM.  Respond 
by  resume  to  WORKFORCE 
DEVELOPMENT  PROGRAMS, 
PO  Box  46547,  Denver,  CO 
80202,  and  refer  to  Job  Order 
No.  CO5088416. 


IT  PROFESSIONALS 
Technical  Consultant 

(Glen  Mills,  Pennsylvania  and  other  locations  through  the  U.S.).  Provide 
technology  consulting  services  for  public  sector  engagements  involving 
implementation,  testing,  development,  maintenance  and  enhancement  of 
software  packages  and  applications  utilizing  Object-Oriented  design  and 
analysis,  Oracle  9i,  MS  SQL,  Javascript,  Java,  VB  Script,  CGI  scripting, 
server  administration  skills,  Visual  Basic,  C,  C++  and  Pascal,  as  well  as 
IBM  MQ  Series,  PAM  and  Solaris.  Participate  in  formulating  and  defining 
computer  information  systems  scope  and  objectives  through  research 
and  fact-finding  to  develop  or  modify  information  systems  tailored  to  client 
management  requirements.  Prepare  detailed  technical  and  business 
requirements  from  which  software  will  be  written  Analyze  and  revise 
existing  system  logic  and  documentation.  Supervise  systems  analysts 
and  programmers  conducting  any  of  the  above  activities. 

The  wage  offered  is  $75,780  per  year.  The  work  schedule  is  Monday- 
Friday,  8:30  am  to  5:00  pm.  The  minimum  requirements  are  as  follows: 
Bachelor's  degree  or  foreign  equivalent*  in  Computer  Science, 
Engineering  (any  type).  Management  Information  Systems.  Computer 
Information  Systems  or  Math  +  2  years  of  experience  in  the  job  offered  or 
2  years  of  experience  as  a  Consultant,  System  Analyst,  Web  Developer, 
Database  Administrator  or  Programmer.  Prior  consulting  and 
project/team  management  experience  must  include  system  analysis, 
design,  implementation,  testing  and  deployment  for  Public  Sector  client 
engagements  using  Object-Oriented  design  and  analysis,  Oracle  9i,  MS 
SQL,  Javascript,  Java,  VB  Script,  CGI  scripting,  server  administration 
skills,  Visual  Basic,  C,  C++,  Pascal,  as  well  as  IBM  MQ  Series,  PAM  and 
Solaris. 

‘Employer  will  regard  a  foreign  degree  to  be  equivalent  to  a  U.S. 
Bachelor's  degree  as  determined  by  an  accredited  educational  evaluation 
service. 

Please  send  your  resume,  referencing  Job  Order  Number  WEB447614  to 
the:  PACareerLink,  FLC  Unit,  235  West  Chelten  Avenue,  Philadelphia,  PA 
19144.  EOE 


COMPUTER  PROFESSION¬ 
ALS:  Radiant  Systems,  Inc.  a 
Nationwide  Technology  provider 
located  in  NJ,  CT,  TX  &  FL  req 
Professionals  w /  Hardware  &/or 
Software  skills  Incl:  C,  C++, 
Java,  JavaScript,  XML,  UML, 
Perl,  HTML,  SQL,  Pro*C,  VB, 
PB,  VC++,  MFC,  SDK,  Gupta- 
SQL,  Informix,  Crystal  Reports, 
Sybase,  Dev  2000,  LotusNotes, 
Unix,  WinNT/95/XP,  RTOS,  Sun 
OS,  Help  Desk/PC-Support, 
SAP,  R/2-R/3,  ABAP/4,  SAP 
Scripts,  PeopleSoft,  IDMS, 
AS/400,  COBOL/CICS/  DB2, 
MVS,  RPG/400,  SQA,  Win/ 
LoadRunner.  SNMP,  COBRA, 
ASP,  Active-X,  DTM/TDMA, 
FDMA,  Routers,  DSP/ATM, 
FRAME  RELAY,  TCP/IP.  ISDN, 
DCOM,  COM,  PL/1,  SAS,  Vx- 
Works,  VHDL,  SONET/  SDH, 
SNMP,  HP  OpenView,  Proj  Mgr, 
Tech  Writers  Candidates  w/a 
BS(or  equiv)  &  2yrs  exp.  as  P/A 
and/or  MS  (or  equiv)  &  1  yr  exp. 
as  S/E.  Travel  &  reloc.,  req.  to 
anywhere  in  USA  as  assigned. 
Excel.  Benefits.  E-Mail:  radi- 
ants@radiants.com  Attn:  H.R. 
Dept.  109-A  Corporate  Blvd.,  S. 
Plainfield,  NJ  07080. 


IT  PROFESSIONALS 
Senior  Consultant 

(Glen  Mills,  Pennsylvania  and  other  locations  through  the  U.S.).  Respon¬ 
sible  for  the  analysis,  design,  development,  testing  and  implementation  of 
Data  Warehouse,  Data  Mart  and  Business  Intelligence  solutions  and 
other  related  application  development  to  ensure  that  implementations 
meet  technical  requirements,  including  those  for  performance,  and  disas¬ 
ter  recovery.  Responsible  for  gathering  functional  requirements,  defining 
technical  architecture,  system  implementation  and  client  management. 
Utilize  technical  expertise  in  all  stages  of  the  software  development  life 
cycle,  including  the  planning,  analysis,  design,  development,  and  testing 
stages.  Perform  logical  and  physical  data  modeling,  optimize  database 
performance,  and  develop  backup  and  disaster  recovery  strategies.  Util¬ 
ize  PL/SQL  to  combine  database  and  procedural  programming  language 
in  Oracle.  Responsible  for  writing  technical  documentation  of  projects  and 
transferring  knowledge  to  clients  in  order  to  support  the  application  upon 
completion  of  the  project.  Responsible  for  logical  and  physical  data  mod¬ 
els  for  Data  Warehouses  and  Data  Marts  utilizing  ERWin,  designing  uni¬ 
verses  and  reports  utilizing  Business  Objects  and  Web  Intelligence  On¬ 
line  Analytical  Processing  (OLAP)  tool,  and  data  extract,  transform  and 
load  (ETL)  functions  using  Informatica.  Participate  in  the  installation,  con¬ 
figuration,  design  and  development  of  Relational  Database  Management 
Systems,  including  Informix,  Sybase  and  Oracle  systems  as  well  as  the 
Business  Objects  and  Web  Intelligence  OLAP  tool  and  Informatica  ETL 
tool.  The  wage  offered  is  $92,000  per  year. 

The  work  schedule  is  Monday-Friday,  8:00  am  to  5:00  pm,  The  minimum 
requirements  are  as  follows:  Bachelor's  degree  or  equivalent  in  Computer 
Science,  Engineering  (any)  or  Business  Administration  +  5  years  of  expe¬ 
rience  in  the  job  offered  or  5  years  of  experience  as  a  Senior  Consultant, 
Consultant,  Engineer  or  related  occupation.  Employer  will  regard  a  for¬ 
eign  degree  to  be  equivalent  to  a  U.S.  Bachelor's  degree  as  determined 
by  an  accredited  credentials  evaluation  service  Related  experience  must 
include  at  least  one  year  with  Relational  Database  Management  Systems 
(Oracle,  Informix  and  Sybase),  SQL,  PL/SQL,  ERWin  for  data  modeling, 
Business  Objects  and  Web  Intelligence  OLAP  tool,  and  Informatica  for 
data  extraction,  transformation  and  loading  (ETL).  Please  send  your 
resume,  referencing  Job  Order  Number  WEB447641  to  the:  PA  Career- 
link,  FLC  Unit,  235  W.  Chelten  Avenue,  Philadelphia,  PA  19144  EOE. 


CW083004E/MW/W  2 


Computerworld  •  InfoWorld  •  Network  World  •  August  30,  2004 


Engineering  Manager:  Job  Dut¬ 
ies:  Lead  a  team  of  engineers 
for  full  chip  level  testing/verifica¬ 
tion  from  block  to  system  level. 
Create  test  suites  and  testing 
environments.  Direct  and  train 
Engineering  team  and  co-ordi¬ 
nate  testing/verification  of  sys¬ 
tem  on  chip  integrated  circuit  de¬ 
signs.  Assist  research  and  engi¬ 
neering  team  with  testing/verifi¬ 
cation  of  electronic  circuits. 
Perform  design  validation  of 
communication  blocks/network¬ 
ing/consumer  products  using 
C/C++  on  unix/windows  environ¬ 
ment  Create  testcases  from 
Architecture/Micro  Architecture 
specification  and  develop  test 
suites  using  pert/awk/sed  and  C- 
shell.  Conduct  trade-off  analysis 
for  various  tools  and  flows. 
Validate/test  processing  syst¬ 
ems  and  designs  using  FPGA. 
Conduct  behavioral  modeling  of 
electronic  circuits.  40  hrs.  week. 
Salary  $108,500/year.  Master's 
degree  in  Science,  Engineering 
or  Technology  with  at  least  four 
(4)  years  of  exp.  in  job  offered  or 
a  Member  of  Technical  Staff. 
Special  requirements:  Applying 
electronic  series  and  concepts 
to  integrated  circuit  design,  de¬ 
velopment  and  testing  for  com¬ 
munication  and  networking  pro¬ 
ducts;  Development  of  software 
and  hardware  for  consumer 
communication  products  using 
HDL  languages;  Must  be  willing 
to  relocate,  if  necessary.  Send 
two  (2)  copies  of  resume/letters 
of  application  to:  Job  Order  # 
2004-077,  P.O.  Box  989, 
Concord,  NH  03302-0989. 


Systems  Engineer,  Temple  Ter¬ 
race.  FL  -  develop  telecom  appli¬ 
cations  utilizing  TELON,  a  com¬ 
puter-aided  software  engineer¬ 
ing  tool,  information  manage¬ 
ment  system  database/data 
communications  (IMS  DB/DC), 
COBOL  and  DB2;  design  and 
implement  system  solutions  for 
business  requirements  to  na¬ 
tional  on-line  ordering  system, 
for  the  telecom  Industry,  utilizing 
design  methodology,  software 
and  hardware  knowledge;  pro¬ 
vide  support  and  troubleshoot¬ 
ing  techniques;  analyze,  design 
and  implement  solutions;  pro¬ 
vide  customer  support  Requires 
Bachelors  degree  in  Computer 
Science  and  either  5  years 
experience  in  the  job  offered  or 
5  years  experience  in  develop¬ 
ing  telecom  applications  utilizing 
TELON.  IMS  DB/DC,  COBOL 
and  DB2  Salary  $63,1 00/yr,  40 
hrs/week,  8  AM  to  5  PM,  Mon  - 
Fit  Send  resume  to  Workforce 
Program  Support,  P.O.  Box 
10869,  Tallahassee,  FL  32302- 
0869,  refer  to  Job  Order  #FL- 
2549132. 


Texcel,  Inc  seeks  Lead  Network 
Engineer  In  our  Cleveland,  OH 
loc.  Creation  &  integration  of 
advanced  computer  technolo¬ 
gies  into  client  environments. 
Identify  &  configure  equipment, 
software/hardware,  manipulate 
data  &  other  components  to 
meet  client  needs  Implement 
solutions  individually  or  as  part 
of  a  team.  Must  have  Bachelors 
degree  in  Engineering  or  related 
field  ♦  5  yrs  relevant  experience. 

Resume  to  Texcel,  Inc.  Com- 
mercePark  It.  23220  Chagrin 
Blvd  .  Ste  202.  Beachwood,  OH 
44122-5409. 


IT  CAREER  OPPORTUNITIES 

CALIFORNIA  -  (Corporate  HQ 
Employment  is  throughout  US); 
Programmer  Analyst 
MICHIGAN-Programmer  Analyst 

F>osi1tons  require  a  BS  and  rele¬ 
vant  experience;  a  combination 
of  experience  and  college  level 
education  may  be  accepted  The 
flexibility  to  travel  and  be  on-call 
mav  be  necessary  Proof  of  legal 
authorization  to  work  in  the  U  S 
is  required 

Please  forward  your  resume  to 
Computer  Sciences  Corp  .  Attn: 
J  Le.  2100  E  Grand  Ave  Mail 
Code  A209,  0  Segundo.  CA 
90245  Please  indicate  the  spe¬ 
cific  location  for  which  you  are 
applying 


Lansa,  Inc  is  seeking  a  LANSA 
Latin  America  Sales  Technical 
Support  for  Downers  Grove,  IL. 
Candidate  will  provide  phone 
and  on  site  pre  and  post  sale 
technical  advice  to  Latin 
American  partners  and  manu¬ 
facturing,  distribution,  financial, 
government  and  retail  industry 
LANSA  clients.  Will  build  proto¬ 
types  and  proof  of  concept  appli¬ 
cations  for  prospective  cus¬ 
tomers  and  provided  post  sale 
software  guidance  to  insure 
client's  LANSA  projects  are  suc¬ 
cessful.  Will  review  sales  pro¬ 
posals  to  insure  technical  accu¬ 
racy  while  using  knowledge  of 
application  development  involv¬ 
ing  the  following:  (1)  User/Client 
interface:  Windows  Client,  5250/ 
Character  (2)  RDBMS:  DB2/400 
and  SQL  Server.  Will  use  knowl¬ 
edge  of  the  following  LANSA 
products:  Visual  LANSA.  LAN¬ 
SA  client,  LANSA  Open,  RUOM, 
LANSA  for  iSeries.  Will  conduct 
post  sale  education  classes  on 
the  use  of  these  LANSA  prod¬ 
ucts  and  well  as  using  knowl¬ 
edge  of  3GL  programming  lan¬ 
guages.  Please  fax  resumes  to 
(630)  874-7001  and  reference 
job  title  when  applying. 


PROGRAMMER/ANALYST 

Analyze,  design,  develop,  test 
software  applications  to  meet 
customer  requirements.  Applica¬ 
tions  need  to  be  developed 
using  C++,  C #,  .NET,  CLR,  VB, 
Java.  MFC,  ATL,  COM/DCOM. 
Use  the  software  tools  such  as 
Oracle,  SQL  Server,  IIS,  Web 
Logic  Server,  Rational  Rose, 
CVS,  Remedy,  Clearcase, 
PVCS  tracker.  8:00  a.m.  to  5:00 
p.m„  $55, 000/year,  Bachelor’s 
degree  in  Computer  Science/ 
Engineering.  Five  years  of  ex¬ 
perience  in  job  offered  or  related 
occupation  such  as  software 
development.  Must  have  proof 
of  legal  authority  to  work  in  the 
United  States.  Send  your  res¬ 
ume  to  the  Iowa  Workforce  Cen¬ 
ter,  590  Iowa  Street  Dubuque,  IA 
52004-0757.  Please  refer  to  Job 
Order  #IA1 101900.  Employer 
paid  advertisement. 


Computer 

SOFTWARE  ENGINEERS  to 
design,  develop,  debug,  imple¬ 
ment,  test  and/or  analyze  com¬ 
puter  software  programs  for  ap¬ 
plications.  May  assist  in  porting, 
documentation,  and/or  defining 
requirements.  Analyze  opera¬ 
tional  requirements;  provide  rec¬ 
ommendations  for  software 
architecture  and  system  perfor¬ 
mance  optimization.  All  levels 
may  require  a  Master’s  degree 
in  Computer  Science,  Engineer¬ 
ing,  Business,  Math,  Physics,  or 
related  technical  discipline,  and 
2  years  work  experience  in  de¬ 
signing,  developing,  and  imple¬ 
menting  software  applications, 
including  (1)  RDBMS  concepts 
and  internals,  performance  tun¬ 
ing,  and  security,  (2)  SQL/PSQL 
code  optimization,  (3)  defining 
software  development  lifecycle 
and  architecture  for  technology 
stack  integration,  4)  developing 
software  coding  standards  and 
procedures  for  enforcing  stan¬ 
dards  compliance,  and  (5) 
designing  infrastructure  for  soft¬ 
ware  packaging,  patching, 
release  and  deployment.  Send 
resumes  for  all  level  and  all 
types  to:  Oracle  Corporation, 
500  Oracle  Parkway,  MS  # 
30P864B,  Redwood  Shores, 
CA  94065;  Attn:  Job  Code: 
385.6764.  Oracle  supports 
workforce  diversity. 


Primus  Global  Services,  Inc.,  is 
seeking  IT  professionals  in  sev¬ 
eral  areas:  Functional  Consul¬ 
tants  -  Oracle  DBAs  -  Adminis¬ 
ter  &  consult  on  Oracle  ERP  & 
data  warehousing  solutions/im¬ 
plementations  using  Oracle  8i/9i 
&  Net  on  UNIX/Windows  plat¬ 
forms  Programmer  Analysts  - 
1)  Program  &  implement  XML 
web  services  &  coding  for  Or¬ 
acle  &  SQL  Server  back-ends 
using  VB  &  Net  or  2)  Code  & 
implement  web  based  applica¬ 
tions  for  UNIX  &  MVS  using 
COBOL,  DB2,  SQL  &  shell  pro¬ 
gramming.  Code  user  interfac¬ 
es  using  IBM  Web  Sphere  & 
MQ  Series  middleware,  IBM's 
Apache  Web  Server,  J2EE  and 
JDK  System  Administrators  - 
support  &  maintain  operations 
of  UNIX  server,  networks,  appli¬ 
cations  production  &  systems 
environments.  Send  resumes  to 
jobs@primusglobal.com. 


IT  Careers  Wants 
You! 

Take  the  hassle  out  of 
job  searching  and 
check  us  out  at 
www.itcareers.com. 
Today,  more  than  ever, 
the  right  skills  fuel  the 
new  economy  and  IT 
Careers  wants  you  to  be 
there.  Check  us  out  at: 
www.itcareers.com 


_ _  MtWgikWorld 

COMPUTERWORU) 


Ifl  L\  I  rwfies  hss«i*t'^«v 
I  KAck^pnvnt  liwinmmrw 


.  Haws  put 
open  source 
hot  seat 


& 


Follow 

Money  ** 


am  or * 


Let  IT  Careers  focus  and 
direct  your  recruitment 
message  by  using  three 
unique  IDG  publications: 
Computerworld, 

Info  World  and 
Network  World 


Call:  (800)  762-2977 


Computerworld 


August  30,  2004 


CWOMOO**  ) 


www.computerworld.com 


AD  INDEX 


COMPUTERWORLD  August  30. 2004 


COMPUTERWORLD 

HEADQUARTERS 

500  Old  Connecticut  Path.  P.O.  Box  9171 
Framingham.  MA  01701-9171 
Phone:(508)879-0700 
Fax:(508)875-4394 

PUBLISHER/CEO 

Bob  Carrigan 
(508)  820-8100 

EXECUTIVE  ASSISTANT  TO  THE  CEO 

Nelva  Riley 
(508)  820-8105 

VICE  PRESIDENT/ 

GENERAL  MANAGER  ONLINE 

Martha  Connors 
(508)  620-7700 

EXECUTIVE  VICE  PRESIDENT/ 
EDITOR-IN-CHIEF 

Maryfran  Johnson 
(508)  820-8179 

EXECUTIVE  VICE  PRESIDENT/ 
STRATEGIC  PROGRAMS 

Ronald  L.  Milton 
(508)  820-8661 

EXECUTIVE  VICE  PRESIDENT/COO 

Matthew  C.  Smith 
(508)  820-8102 

VICE  PRESIDENT/ 
NATIONAL  ASSOCIATE  PUBLISHER 

Matthew  J.  Sweeney 
(508)  271-7100 

VICE  PRESIDENT/CIRCULATION 

Debbie  Winders 
(508)  820-8193 


CIRCULATION 

Circulation  Coordinator/Diana  Turco,  (508)  820-8167 

PRODUCTION 

Vice  President  Production/Carolyn  Medeiros;  Production  Manager/Kim 
Pennett  PRINT  DISPLAY  ADVERTISING:  (508)  820-8232.  Fax: 
(508)  879-0446,  DISTRIBUTION:  Director  of  Distribution  and  Postal 
Affairs/Bob  Wescott 

MARKETING 

Director  of  Marketing/Matt  Duffy 
(508)  820-8145 

STRATEGIC  PROORAMS  AND  EVENTS 

Vice  President  Strategic  Imtiatives/leo  Leger;  Director.  Event  Spon¬ 
sorship  Sales/Ann  Harris;  Director.  Event  Marketing  and  Conference 
Programs/Derek  Hulitzky;  Group  Manager.  Event  Operations/Michael 
Meleedy;  Marketing  Manager/Kate  Carroll;  Marketing  Program  Coordi¬ 
nator/Chris  Leger;  Operations  Manager/Lynn  Mason;  Conference  Man¬ 
ager/Nanette  Jurgelewicz;  Customer  Service  Specialist/Pam  Malin- 
gowski;  Administrative  Coordinator/Shari  Redan.  500  Old  Connecticut 
Path.  Box  9171.  Framingham.  MA  01701-9171.  (508)  879-0700. 

Fax:  (508)  626-8524 

ONLINE  ADVERTISING 

National  Director  of  Online  Sales/Operations.  Gregg  Pinsky.  (508) 
271-8013;  Online  Sales  Manager.  Sean  Weglage.  (415)  978-3314.  Fax: 
(415)  543-8010;  Online  Sales  Assistant.  Kathy  Snow  (508)  270-7112; 
500  Old  Connecticut  Path.  Box  9171.  Framingham.  MA  01701-9171.  Fax: 
(508)  270-3882 

IT  CAREERS  ADVERTISING  SALES  OFFICES 

Vice  President.  Recruitment  Advertising/Nancy  Percival.  (800)  762- 
2977.  Fax  (508)  879-0184.  Sales  &  Marketing  Associate/Deborah  J. 
Green.  (508)  620-7757.  Fax  (508)  879-0184. 500  Old  Connecticut 
Path.  Framingham.  MA  01701;  EAST:  Regional  Manager/Jay  Saveli. 
(610)  758-9755.  Fax  (610)  419-2134;  Account  Executive/  Danielle 
Tetreault .  (508)  620-7759  CENTRAL:  Regional  Manager/Laura 
Wilkinson.  (847)  441-8877.  Account  Executive/Mark  Dawson.  (508) 
620-7760  WEST:  Regional  Manager/Caroline  Garcia  (408)  941- 
0562;  Account  Executive/Mark  Dawson.  (508)  620-7760 


LIST  RENTAL 

POSTAL:  Rich  Green.  (508)  370-0832.  e-mail:  rgreen  @idglist.com. 

E-MAIL:  Christine  Cahill.  (508)  370-0808. 
e-mail  ccahill@idglist.com  MAILING  ADDRESS:  IDG  List  Services. 
P.O.  Box  9151.  Framingham.  MA  01701-9151.  Fax:  (508)  370-0020 


COMPUTERWORLD  SALES  OFFICES 


VICE  PRESIDENT/NATIONAL  ASSOCIATE  PUBLISHER 


Matthew  J.  Sweeney 
(508)271-7100 
Fax:  (508)  270-3882 


SALES  BUSINESS  MANAGER 

Laureen  Austermann 
(508)  820-8522 
Fax:  (508)  270-3882 


NORTHWESTERN  STATES 


ACCOUNT  DIRECTOR:  Jim  Barrett  (415)  978-3306: 
ACCOUNT  EXECUTIVE:  SaraJane  Robinson-Retondo 
(415)  978-3304, 501  Second  Street,  Suite  114,  San  Fran¬ 
cisco,  CA  94107,  Fax:  (415)  543-8010 


BAY  AREA 


ACCOUNT  DIRECTOR:  Jim  Barrett  (415)  978-3306, 
ACCOUNT  EXECUTIVES:  Emmie  Hung  (415)  978-3308, 
SaraJane  Robinson-Retondo  (415)  978-3304,  501  Sec¬ 
ond  Street,  Suite  114,  San  Francisco.  CA  94107,  Fax: 

(415)  543-8010 


SOUTHWESTERN  STATES 


ACCOUNT  DIRECTOR:  Bill  Hanck  (949)  442-4006; 
ACCOUNT  EXECUTIVE:  Jean  Dellarobba  (949)  442- 
4053, 19200  Von  Karman  Avenue,  Suite  360,  Irvine.  CA 
92612,  Fax:  (949)  476-8724 


EASTERN  CENTRAL  STATES/  INDIANA 


ACCOUNT  DIRECTOR:  Peter  Mayer  (201)  634-2324: 
ACCOUNT  EXECUTIVE:  John  Radzniak  (201)  634- 
2323,  650  From  Road  -  2nd  Floor,  Paramus,  NJ  07652, 
Fax:  (201)  634-9289 


CENTRAL  STATES 


ACCOUNT  DIRECTOR:  Bill  Hanck  (949)  442-4006: 
ACCOUNT  EXECUTIVE:  Jean  Dellarobba  (949)  442- 
4053, 19200  Von  Karman  Avenue.  Suite  360,  Irvine,  CA 
92612,  Fax:  (949)  476-8724 


NEW  ENGLAND  STATES/ MINNESOTA/ WISCONSIN/ OHIO 


ACCOUNT  DIRECTOR:  Laurie  Marinone  (508)  271- 
7108:  ACCOUNT  EXECUTIVE:  Deborah  Crimmings 
(508)  271-7110,  500  Old  Connecticut  Path,  Framingham, 
MA  01701,  Fax:  (508)  270-3882 


METRO  NEW  YORK 


ACCOUNT  DIRECTOR:  Peter  Mayer  (201)  634-2324; 
ACCOUNT  EXECUTIVE:  John  Radzniak  (201)  634- 
2323,  650  From  Road  -  2nd  Floor,  Paramus,  NJ  07652, 
Fax:  (201)  634-9289 


SOUTHEASTERN  STATES/  ILLINOIS/  MICHIGAN 


ACCOUNT  DIRECTOR:  Lisa  Ladle-Wallace  (904)  284- 
4972, 5242  River  Park  Villas  Dr.,  St.  Augustine,  FL  32092, 
Fax:(800)779-8622;  ACCOUNT  EXECUTIVE:  Deborah 
Crimmings  (508)  271-7110, 500  Old  Connecticut  Path.  Fram 
ingham.  MA  01701,  (508)  879-0700,  Fax:  (508)  270-3882 


ADVERTISER’S  IHDEX 


Business  Intelligence  Perspectives  . . .  .30 
www.biperspectives.com/cw 

EMC  . 9 

www.emc.com 

Hewlett-Packard  Brand . 2-3 

www.hp.com 

Hewlett-Packard  Printers . 47 

www.hp.com 

IBM  eServer . 20-21 

www.ibm.com 

IBM  Software . 34-35 

www.ibm.com 

IronPort  Systems  . 15 

www.ironport.com/book 

IT  Executive  Summit  Series 

Dallas . 39 

www.itexecutivesummit.com/nc 

IT  Executive  Summit  Series 

Philadelphia  . 29 

www.itexecutivesummlt.com 

Microsoft  Manageability . 4 

www.microsoft.com/forrester 

Microsoft  Security . 11 

microsoft.com/security/IT 

SAP  . 23 

www.sap.com 

SAS  . 48 

www.sas.com 

Sharp . 18 

www.sharpusa.com 


THIS  INDEX  IS  PROVIDED  AS  AN  ADDITIONAL 
SERVICE.  THE  PUBLISHER  DOES  NOT  ASSUME 
ANV  LIABILITY  FOR  ERRORS  OR  OMISSIONS. 


INTERNATIONAL 
DATA  GROUP 

CHAIRMAN  OF  THE  BOARD 

Patrick  J.  McGovern 

CEO 

Pat  Kenealy 

COMPUTERWORLD  is  a  business  unit  of  IDG,  the 
world’s  leading  technology  media,  research  and  event 
company.  IDG  publishes  more  than  300  magazines 
and  newspapers  and  offers  online  users  the  largest 
network  of  technology-specific  sites  around  the  world 
through  IDG.net  (www.idg.net),  which  comprises  more 
than  330  targeted  Web  sites  in  80  countries.  IDG  is 
also  a  leading  producer  of  168  computer-related  events 
worldwide,  and  IDG's  research  company, 

IDC.  provides  global  market  intelligence  and  advice 
through  51  offices  in  43  countries.  Company  informa¬ 
tion  is  available  at  www.idg.com. 

*IDG 


Have  a  problem  with  your  Computerworld  subscription? 


We  want  to  solve  it  to  your  complete  satisfaction,  and  we  want  to  do  it  fast. 

Please  write  to  Computerworld,  P.O.  Box  3500,  Northbrook,  IL  60065-3500. 

Your  magazine  subscription  label  is  a  valuable  source  of  information  for  you  and  us.  You  can  help  us  by 
attaching  your  magazine  label  here,  or  copy  your  name,  address,  and  coded  line  as  it  appears  on  your 
label.  Send  this  along  with  your  correspondence. 


ADDRESS  CHANGES  OR  OTHER  CHANGES  TO  YOUR  SUBSCRIPTION 

All  address  changes,  title  changes,  etc.  should  be  accompanied  by  your  address  label,  if 
possible,  or  by  a  copy  of  the  information  that  appears  on  the  label,  including  the  coded  line. 


YOUR  NEW  ADDRESS  GOES  HERE: 


ADDRESS  SHOWN:  □  Home  J  Business 


NAME 

TITLE  COMPANY 

ADDRESS 

CITY  STATE  ZIP 

OTHER  QUESTIONS  AND  PROBLEMS 

It  Is  better  to  write  us  concerning  your  problem  and  include  the  magazine  label.  Also,  address  changes 
are  handled  more  efficiently  by  mail.  However,  should  you  need  to  reach  us  quickly,  the  following  toll-free 
number  is  available  (888)  559-7327  Outside  U.S.  call  (847)  559-7322. 

Internet  address:  cw@omeda.com 

COMPUTERWORLD  allows  advertisers  and  other  companies  to  use  its  mailing  list  for  selected  offers  we  feel  would  be 
of  interest  to  you.  We  screen  these  offers  carefully.  If  you  do  not  want  to  remain  on  the  promotion  list  please  write  to  the  fol¬ 
lowing  address  -  COMPUTERWORLD.  Circulation  Department.  500  Old  Connecticut  Path.  Framingham.  MA  01701. 


44 


COMPUTERWORLD  August  30, 2004 


RESOURCES 


www.computerworld.com 


John  R.  Brillon,  associate  art  director . (508)  820-8216 

David  Waugh,  associate  art  director . . . (508)  820-8142 

Peter  Smith,  Web  development  manager 

Kevin  Oerich,  Mark  Savery,  Web  developers 
Matthew  Moring,  graphics  designer 


How  to  Contact 

OMPUTERWORLD 

We  invite  readers  to  call  or  write  with  their  comments 
and  ideas.  It  is  best  to  submit  ideas  to  one  of  the  department 
editors  and  the  appropriate  beat  reporter. 


Maryfran  Johnson, 

editor  in  chief 
(508)820-8179 

DEPARTMENT 


EDITORS 

Don  Tennant,  News  editor . (508)  620-7714 

Craig  Stedman,  assistant  News  editor . (508)  820-8120 

Mitch  Betts,  Features  editor . (301)  262-8243 

Tommy  Peterson,  Technology  editor . . (508)  620-7729 

Kathleen  Melymuka,  Management  editor . (508)  820-8118 


REPORTERS 

Matt  Hamblen,  networking;  network  systems  management; 


e-commerce;  CA. . (508)  820-8567 

Thomas  Hoffman,  information  economics;  IT 

investment  and  management  issues;  careers/labor . (845)  988-9630 

Lucas  Mearian,  financial  services:  storage; 

IT  management . . . (508)  B20-8215 

Linda  Rosencrance,  general  assignment; 

transportation/carriers . (508)  628-4734 

Carol  Sliwa,  Microsoft;  Web  services  technologies; 

application  development;  retail  industry . (508)  628-4731 

Marc  L.  Songini,  ERP;  supply  chain:  CRM;  databases; 
datawarehousing;  EAI . (508)  820-8182 

Patrick  Thibodeau,  enterprise  systems;  outsourcing  and 
immigration  issues;  corporate  antitrust  issues . (202)  333-2448 


Dan  Verton,  federal/state  government;  legislation; 
critical-infrastructure  security;  travel . (703)  321-2277 

Jaikumar  Vijayan,  corporate  security/privacy  issues; 
manufacturing . (630)  978-8390 

Todd  R.  Weiss,  general  assignment;  Linux; 
messaging/collaboration . (717)  394-3850 


OPINIONS 


Jamie  Eckle,  Opinions  editor . (508)  820-8202 

Frank  Hayes,  senior  news  columnist . (503)  252-0100 


FEATURES 


Ellen  Fanning,  special  pro|ects  editor . (508)  820-8204 

Robert  L.  Mitchell,  senior  editor . (508)  820-8177 

Mark  Hall,  editor  at  large . . . (503)  391-1158 

Gary  H.  Anthes,  national  correspondent . (703)  536-9233 

Julia  King,  national  correspondent . (610)  532-7599 


COMPUTERWORLD.COM 


Tom  Monahan,  online  director . (508)  820-8218 

Sharon  Machlis,  managing  editor/online . (508)820-8231 

Ken  Mingis,  online  news  editor . (508)  820-8545 

Marian  Prokop,  online  editor  at  large . (508)  620-7717 


David  Ramel,  e-mail  newsletter/online  editor  at  large... .(508)  820-8269 


RESEARCH 

Mari  Keefe,  research  manager 
Gussie  Wilson,  research  associate 

COPY  DESK 

Michele  Lee  DeFillppo,  managing  editor/production  ...(508)  820-8126 
Bob  Rawson,  assistant  managing  editor/production . (508)  271-8015 

Mike  Parent,  Monica  Sambataro,  senior  copy  editors 
Eugene  Demaltre,  copy  editor 

GRAPHIC  DESIGN 

Stephanie  Faucher,  design  director . (508)  820-8235 

April  O'Connor,  associate  art  director 
Julie  Quinn,  senior  designer 
Susan  Cahill,  graphics  coordinator 

John  Klossner,  cartoonist 

ADMINISTRATIVE  SUPPORT 

Linda  Gorgone,  office  manager . (508)  820-8176 

CONTRIBUTING 

COLUMNISTS 

Pimm  Fox,  Michael  Gartenberg, 

Dan  Gillmor,  Paul  Glen,  Barbara  Gomolski, 

Thornton  A.  May,  David  Moschella, 

Bart  Perkins,  Paul  A.  Strassmann 


CONTRIBUTING 

WRITERS 

Mary  Brandel,  Russell  Kay, 
Sami  Lais,  Robert  L.  Scheier, 
Steve  Ulfelder 


GENERAL  INFORMATION 


TELEPHONE/FAX 

Main  phone  number. . . .  (508)  879-0700 

All  editors  unless  otherwise  noted  below 

Main  fax  number . (508)  875-8931 

24-hour  news  tip  line. . .  (508)  620-7716 


Our  Web  address  is 

www.computerworlJ.com. 

Staff  members'  e-mail  follows  this  form: 

firstnameJastnametScomputerworld.com. 

For  IDO  News  Service  correspondents: 

firstnameJastnametSidg.com. 

LETTERS  TO  THE  EDITOR 

Letters  to  the  editor  are  welcome 
and  should  be  sent  to: 

letterstScomputerworld.com. 

Include  your  address  and  telephone  number. 

MAIL  ADDRESS 

PO  Box  9171,  500  Old  Connecticut  Path, 
Framingham,  Mass.  01701 

SUBSCRIPTIONS/BACK  ISSUES 

Subscription  rates:  U.S.,  $99.99/year;  Canada, 
$130/year;  Central  and  South  America,  $250/year; 
all  others,  $295/year 

Phone . (888)  559-7327 

E-mail . cw@omeda.com 

Back  issues . (508)  820-8167 

REPRINTS/PERMISSIONS 

Contact . Renee  Smith 

Phone . (717)  399-1900,  ext.  172 

E-mail . reprints@computerworld.com 

Visit  www.reprintbuyer.com  to  obtain  quotes 
and  order  reprints  online. 


COMPANIES  IN  THIS  ISSUE 

Page  number  refers  to  page  on  which  story  begins.  Company  names  can  also  be 

searched  at  www.computerworld.com. 


@STAKE  INC . 6 

ACCELA 

COMMUNICATIONS . 45 

ACCENTURE  LTD . 24 

ADVANCEDFORCE 

INFOSECURITY  INC . 8 

AIR  LINE  PILOTS 

ASSOCIATION . 13 

ALLSTATE  INSURANCE  CO . 1 

ALPINE  ELECTRONICS  INC . 8 

AMALGAMATED  BANK 
LONGVIEW  COLLECTIVE 

INVESTMENT  FUND . 14 

AMR  RESEARCH  INC . 12 

APPLE  COMPUTER  INC . 8 

BEA  SYSTEMS  INC . 25 

BEARING  POINT  INC . 8 

BLEUM  INC . 8 

BMC  SOFTWARE  INC . 25 

BOSTON  UNIVERSITY . 32 

BRESLER  4  REINER  INC . 12 

BROWN  BROTHERS 

HARR1MAN  &  CO . 33 

BT  SYNTEGRA . 25 

BURTON  GROUP . 24 

BUSINESS  INNOVATION  INC . 31 

BUSINESS  SOFTWARE 

ALLIANCE . 8 

CALENDRA  . 25 

CAPITAL  ONE 

FINANCIAL  CORP. . 33 


CENTER  FOR  PROJECT 

MANAGEMENT . 38 

CHANTRY  NETWORKS  INC . 15 

CIRCUIT  CITY  STORES  INC . 1 

CISCO  SYSTEMS  INC . 10.12.27 

CITRIX  SYSTEMS  INC . 1.6,8 

CNN . 19 

COMPUTER  ASSOCIATES 

INTERNATIONAL  INC . 14 

COUNTERPANE  INTERNET 

SECURITY  INC . 28 

CXO  SYSTEMS  INC . 38 

DANA  CORP. . 38 

DEFENSE  FINANCE  AND 

ACCOUNTING  SERVICE . 13 

DELL  INC . 12.37 

DHL  WORLDWIDE 

NETWORK  SA/NV . 1 

DUKE  POWER  CO . 16 

E-GOLD  LTD . 22 

E-LOAN  INC . 6 

EBAY  INC . 22.46 

EMC  CORP. . 14 

ENTERPRISE  STORAGE 

GROUP  INC . 14 

EXCEL  SWITCHING  CORP . 31 

F-SECURE  CORP . 19 

FEDERAL  TRANSPORTATION 

ADMINISTRATION . 15 

FINANCIAL  SERVICES 
TECHNOLOGY  CONSORTIUM . 1 


FORRESTER 

RESEARCH  INC . 16,33 

GARTNER  INC . 8,12 

GOLDMAN  SACHS  &  CO . 38 

HARVARD 

BUSINESS  SCHOOL . 37 

HAWAIIAN  ELECTRIC  CO . 45 

HELENA  REGIONAL  AIRPORT ...  13 

HEWLETT-PACKARD  CO . 12 

HEXAWARE 

TECHNOLOGIES  LTD . 6 

HUNTINGTON 

BANCSHARES  INC . 1 

IBM . 1,12 

ICEX  INC . 31 

IMPRIVATAINC . 28 

INFORMATION  SYSTEMS  AUDIT 
AND  CONTROL  ASSOCIATION. . .  12 
INFORMATION  TECHNOLOGY 

GOVERNANCE  INSTITUTE . 12 

INFOSYS  TECHNOLOGIES  INC. ...  6 

IOMEGA  CORP . 28 

JOLLY  TECHNOLOGIES  INC . 7 

JUPITER  RESEARCH . 31.32 

KNOWNOW  INC . 8 

LOGICLIBRARY  INC . 28 

LOTUS  SOFTWARE  GROUP . 28 

MANULIFE  FINANCIAL  CORP.  ...  31 

MAXWARE  INC . 25 

MCAFEE  INC . 27 

MCKESSON  CORP . 1 

META  GROUP  INC . 1 

METROPOLITAN  HEALTH  CORP.. .  1 
MICROSOFT  CORP. .  1.8.10.12.14.16. 

. 19.28,45.46 

MINCOM  LTD . 45 

MIT  . 37 

MOBILISA  INC . 15 


MONITOR  GROUP . 38 

NATIONAL  ASSOCIATION 
OF  SOFTWARE  AND 

SERVICE  COMPANIES . 7 

NATIONAL  INSTITUTE 
OF  STANDARDS 

AND  TECHNOLOGY . 28 

NATIONAL 

SECURITY  AGENCY . 28 

NEUSOFT  GROUP  LTD . 8 

NEW  YORK  INDEPENDENT 

SYSTEM  OPERATOR . 24 

NIKU  CORP . 33 

NORMAN  Y.  MINETA  SAN  JOSE 

INTERNATIONAL  AIRPORT . 13 

NOVELL  INC . 28 

OBLIX  INC . 24.25 

OCTETSTRING  INC . 24.25 

OGE  ENERGY  CORP . 1 

ORACLE  CORP. . 10.24.27 

P-CUBE  INC . 12 

PACIFIC  EDGE 

SOFTWARE  INC . 33 

PAISLEY  CONSULTING  INC . 12 

PAYPAL . 22 

PEOPLESOFT  INC . 10.13,27 

PEPSICO  INC . 38 

PERSISTENT  SYSTEMS  PVT.  ...  25 

POSTINI  INC . 8.19 

PRECISION  CONSULTING  INC.  . .  27 

PROSIGHT  INC . 33 

PROXIM  CORP. . 15 

RADIANT  LOGIC  INC . 8,24.25 

RSA  SECURITY  INC . 24 

RUAN  TRANSPORTATION 

MANAGEMENT  SYSTEMS . 38 

RUSSELL/MELLON 


ANALYTICAL  SERVICES  LLC _ 33 


SANDSTORM  ENTERPRISES  ...  46 


SAP  AG . 27 

SAP  AMERICA  INC . 12 

SENTIENT  JET  INC . 38 

SIEBEL  SYSTEMS  INC . 27 

SMARTLINE  INC . 8 

SMITH.  ANDERSON,  BLOUNT. 
DORSETT.  MITCHELL 

&  JERNIGAN  LLP . 14 

SPI  DYNAMICS  INC . 27 

SUGARCRM  INC . 16 

SUN 

MICROSYSTEMS  INC . 10,12.24 

SUNGARD  DATA 

SYSTEMS  INC . 1 

SYMANTEC  CORP . 19 

SYMLABS  SA . 25 

SYSTEMEXPERTS  CORP . 32 

T.  ROWE  PRICE  GROUP  INC . 6 

THE  BOEING  CO . 24 

THE  REYNOLDS  AND 

REYNOLDS  CO . 38 

THE  SCO  GROUP  INC . 19 

TIMBERLINE 

SOFTWARE  CORP. . 12 

TOSHIBA  CORP. . 8 

TOWERGROUP . 1 

TRANSPLACE  INC . 38 

TRANSPORTATION  SECURITY 

ADMINISTRATION . 13.17 

TRIPWIRE  INC . 6 

U. S.  DEPARTMENT 
OF  AGRICULTURE 

FOREST  SERVICE . 12 

U.S.  DEPARTMENT 

OF  DEFENSE . 13 

U.S.  DEPARTMENT 


OF  HOMELAND  SECURITY. . . .  13.17 


U.S.  FOOD  AND  DRUG 

ADMINISTRATION . 33 

U.S.  GOVERNMENT 

ACCOUNTABILITY  OFFICE . 13 

U.S.  POSTAL  SERVICE . 12 

U.S.  SECURITIES  AND 

EXCHANGE  COMMISSION . 12 

UPBEAT  INC . 31 

US  AIRWAYS  GROUP  INC . 17 

VERITAS  SOFTWARE  CORP . 1 

VERIZON 

COMMUNICATIONS  INC . 31 

WACHOVIA  CORP. . 38 

WASHINGTON 

STATE  FERRIES . 15 

WEB  SERVICES 
INTEROPERABILITY 

ORGANIZATION . 28 

WEBMONEY . 19 

WERNER  CO . 1 

WESTERN  UNION . 19 

WIPRO  SPECTRAMIND . 6 

WIPRO  TECHNOLOGIES . 6 

WORKSHARE 

TECHNOLOGY  INC . 28 

WRQ  INC . 1 

XEROX  CORP . 45 

ZAMBEEL  INC . 37 

ZEBRA 

TECHNOLOGIES  CORP . 12 


*! 


www.computerworld.com 


NEWS 


COMPUTERWORLD  August  30, 2004  45 


Rate  Your  Experience  With  SP2 

A  snapshot  of  the  results  of  a  SANS  Institute  online  poll:  .  % 

\  3%  No  opinion 

-  - - - ■ - ■ - -  ■  -  - . \ 

45%  No  problems 


27%  Small  problems 


1 8%  Big  problems,  but  solvable 

-  -  --  --  --  --  --  -  -  --  --  --  -  -  ,■*  <r  t  T  * 

3  8%  Big  problems,  could  not  use/install 
§  9%  Had  to  rebuild  system 

Base:  1,279  responses 

To  participate  in  the  poll  or  view  updated  results,  go  to: 
http://isc.sans.org/xpsp2.php 


-  •  <>.*.rVs  v;  * 

-  -  -  -W  • 

r, 


Continued  from  page  1 

SP2 

peak  season,”  said  Mike  Jones, 
CIO  at  Circuit  City  Stores  Inc. 
“While  I’m  happy  to  see  that 
Microsoft  has  put  out  SP2  in 
response  to  known  issues  and 
weaknesses  over  time,  it  just 
doesn’t  work  out  timing-wise 
for  us.” 

Jones  said  the  Richmond, 
Va.-based  retailer  won’t  deploy 
SP2  until  the  first  or  second 
quarter  of  next  year.  And  he 
was  hardly  alone  in 
determining  that 
the  SP2  deployment 
will  have  to  wait  at 
least  four  months. 

Fifteen  of  the  26 
respondents  who  now  have  at 
least  some  XP  in  their  desktop 
environments  indicated  either 
that  they  would  wait  until  next 
year  or  that  they  had  no  near- 
term  or  set  plans  for  SP2.  The 
remainder  said  they  plan  to 
deploy  SP2  when  they  com¬ 
plete  testing,  with  three  of 
them  saying  they  expect  that 
will  be  within  two  months  and 
another  within  four  months. 

“We  are  very  concerned 
about  this  service  pack  break¬ 
ing  some  of  our  applications,” 
said  Bill  Lewkowski,  CIO  at 
Metropolitan  Health  Corp.  in 
Grand  Rapids,  Mich.  “In  fact, 
we  had  one  of  our  vendors 
give  us  notice  that  their  appli¬ 
cations  would  not  work.” 

That  vendor  was  McKesson 
Corp.,  a  San  Francisco-based 
provider  of  health  care  appli¬ 
cations,  he  said.  Lewkowski 
added  that  he  isn’t  sure  when 
Metropolitan  will  finish  test¬ 
ing  SP2,  since  it  will  need  re¬ 
sources  and  money  that  hadn’t 
been  budgeted.  He  said  the  IT 
department  will  work  with  its 
more  than  400  vendors,  but  he 
isn’t  sure  it  will  ever  get  to  the 
point  where  it  can  deliver  SP2 
to  its  users. 

But  Steve  Kleynhans,  an  an¬ 
alyst  at  Meta  Group  Inc.,  said 
his  firm  is  advising  companies 
to  roll  out  SP2  as  fast  as  they 
can.  He  said  he  expects  it  will 


take  most  companies  four  to 
six  months  to  complete  the 
certification  and  engineering 
process  to  prepare  for  the  roll¬ 
out.  “SP2  is  mandatory.  You 
don’t  have  a  choice,”  he  said. 
“Anything  in  the  future  is  go¬ 
ing  to  be  built  on  SP2.” 

Yet  the  application  compati¬ 
bility  problems  that  some  com¬ 
panies  are  encountering  can  be 
difficult  to  work  through.  John 
LaBrue,  a  team  leader  in  dis¬ 
tributed  computing  at  OGE  En¬ 
ergy  Corp.  in  Oklahoma  City, 
said  some  applications  that  the 
IT  department  test¬ 
ed  broke  because  of 
the  new  Windows 
Firewall. 

“There  are 
methodologies  in 
place  to  disable  the  firewall, 
and  we  have  deployed  those  in 
our  test  environment.  We  are 
still  having  issues,”  LaBrue 
said.  “So  it’s  not  alleviating  the 
problems  we  are  experiencing.” 

LaBrue  said  OGE  also  has 
several  custom  applications 
for  mobile  data  that  are  in  a 
“broken  state.”  Its  Citrix  Sys¬ 
tems  Inc.  application  also 
failed,  but  staffers  stumbled 
upon  a  fix  that  worked,  even 
though  it  wasn’t  designed  for 
that  problem. 

In  addition  to  concerns  about 
application  incompatibility 


Hawaiian  Electric  Co.  got  a  dose 
of  special  attention  whenever  it 
encountered  an  application  com¬ 
patibility  problem  with  Service 
Pack  2. 

As  part  of  Microsoft’s  Techni¬ 
cal  Adoption  Program,  the  Hon¬ 
olulu-based  power  company 
worked  closely  with  the  vendor 
on  the  migration  of  its  1,200 
desktops  to  Windows  XP  Profes¬ 
sional,  SP2  and  Office  2003. 

But  even  with  assistance 
close  at  hand,  Hawaiian  Electric 
sometimes  found  it  painful  to 
deal  with  the  shifting  sands  of 
multiple  beta  releases.  The  com- 


and  firewall  issues,  DHL 
Worldwide  Network  SA/NV  is 
worried  about  SP2’s  size  mak¬ 
ing  it  cumbersome  to  deploy 
to  users  who  may  be  connect¬ 
ed  via  slower  network  links, 
according  to  Meg  Plummer, 
director  of  front-end  services 
at  the  international  courier. 

The  full  SP2  package  checks 
in  at  about  265MB,  according 
to  Microsoft.  The  average 
download  is  expected  to  be 
much  smaller  because  of 
“smart  download”  technology 
that  installs  only  what  users 
need.  For  XP  Professional,  the 
SP2  download  is  expected  to  be 
about  100MB,  Microsoft  said. 

Preemptive  Moves 

Some  companies  have  had  to 
disable  Automatic  Update  to 
make  sure  users  don’t  down¬ 
load  SP2  before  they’ve  had  a 
chance  to  test  their  applica¬ 
tions.  John  Foley,  a  network 
planning  analyst  at  Werner  Co. 
in  Greenville,  Pa.,  said  that 
even  though  his  company  dis¬ 
tributes  security  updates 
through  an  internal  server,  he 
made  a  change  to  the  group 
policy  setting  in  Active  Direc¬ 
tory  to  block  users  from  down¬ 
loading  SP2  via  Automatic  Up¬ 
date  or  Windows  Update. 

Companies  that  rely  on  in¬ 
structing  users  to  disable  Auto- 


pany  often  had  to  spend  time 
determining  whether  a  problem 
was  caused  by  XP,  SP1  or  SP2 
before  it  could  seek  a  resolution, 
according  to  Les  McCarter,  di¬ 
rector  of  IT  infrastructure  and 
operations. 

McCarter  said  problems  were 
more  often  related  to  XP  compat¬ 
ibility  -  not  to  SP2.  “We  have  not 
seen  as  many  headaches  with 
SP2  as  has  been  purported  out 
there,”  he  said. 

One  problem  that  was  traced 
to  SP2  involved  the  company’s 
Mincom  Ltd.  ERP  software.  Mc¬ 
Carter  said  Microsoft  investigat- 


matic  Update  run  the  risk  of 
experiencing  frustrating  conse¬ 
quences.  According  to  a  source 
at  a  manufacturing  firm  who 
requested  anonymity,  two  users 
there  downloaded  SP2,  despite 
messages  instructing  them  not 
to  install  it.  Now  the  machines 
won’t  boot  and  must  be  fixed. 

But  SP2’s  timing  will  work 
well  for  some  companies.  All¬ 
state  Insurance  Co.  expects  to 
start  rolling  out  Windows  XP 
on  April  1  next  year,  so  the 
company  is  doing  SP2  and  XP 
application  compatibility  test¬ 
ing  at  the  same  time. 

Still,  that’s  no  small  under¬ 
taking.  Kevin  Rutherford,  a 
workstation  strategist  at  the 
Northbrook,  Ill.-based  compa¬ 
ny,  said  Allstate  has  about 
1,000  applications  to  test. 


ed  the  matter  and  incorporated  a 
solution  into  the  next  beta. 

Other  compatibility  issues  sur¬ 
faced  with  the  company’s  Xerox 
Corp.  scanning  software  and 
with  its  voice-over-IP  software. 
McCarter  said  that  Hawaiian 
Electric  also  had  to  become 
skilled  at  configuring  SP2’s  fire¬ 
wall  to  allow  applications  to  com¬ 
municate  through  it. 

But  McCarter  noted  that  out  of 
several  hundred  applications  the 
company  had  to  test,  it  found 
compatibility  issues  with  only 
three.  He  added  that  the  time 
spent  implementing  SP2’s  secu- 


So  far,  Greg  Lavigne,  an  All¬ 
state  systems  consultant,  has 
already  observed  that  the  in¬ 
surer’s  WRQ_Reflection  termi¬ 
nal-emulator  software  has 
been  flagged  by  Microsoft  on 
a  Web  page  carrying  the  head¬ 
line  “Some  programs  seem  to 
stop  working  after  you  install 
Windows  XP  Service  Pack  2.” 

Jon  Murchinson,  a  Win¬ 
dows  client  product  manager 
at  Microsoft,  said  customers 
should  take  advantage  of  SP2’s 
enhancements  right  away. 

But  the  company  also  recog¬ 
nizes  the  need  for  application 
compatibility  testing,  he  said, 
and  it  recommends  that  cus¬ 
tomers  test  SP2  in  a  closed 
environment  before  rolling  it 
out  to  their  entire  enterprises. 
©  49104 


rity  improvements  was  "well 
worth  it.” 

Another  organization  that 
made  an  early  move  to  SP2  was 
the  government  of  Fulton  County, 
Ga.  Its  CIO,  Robert  Taylor,  said 
the  county  had  an  agreement 
with  Microsoft  to  participate  in 
the  testing  of  SP2. 

Taylor  said  the  county  identi¬ 
fied  some  application  compatibil¬ 
ity  problems  during  prerelease 
testing,  but  it  has  encountered 
none  since  then.  Only  one  of  its 
vendors,  Accela  Communica¬ 
tions,  warned  the  county  about 
deploying  SP2,  but  not  until  last 
week,  he  noted. 

-  Carol  Sliwa 


MORE  ON  SP2 

Visit  our  XP  SP2  special 
coverage  page  online: 

©  QuickLink  a4910 
www.computerworld.com 


Early  SP2  Adopters  Got  Extra  Help  Solving  Problems 


Periodical  postage  paid  at  Framingham.  Mass.,  and  other  mailing  offices.  Posted  under  Canadian  International  Publication  agreement  #40063800.  CANADIAN  POSTMASTER:  Please  return  undeliverable  copy  to  PO  Box  1632.  Windsor.  Ontario  N9A  7C9.  Computerworld  (ISSN  0010-4841)  is  published 
weekly:  except  a  single  combined  issue  for  the  last  two  weeks  In  December  by  Computerworld,  Inc..  500  Old  Connecticut  Path.  Box  9171,  Framingham,  Mass.  01701-9171.  Copyright  2004  by  Computerworld  Inc.  All  rights  reserved.  Computerworld  can  be  purchased  on  microfilm  and  microfiche  through  Uni¬ 
versity  Microfilms  Inc..  300  N.  Zeeb  Road.  Ann  Arbor.  Mich.  48106.  Computerworld  is  indexed.  Back  issues,  if  available,  may  be  purchased  from  the  circulation  department.  Photocopy  rights:  permission  to  photocopy  for  internal  or  personal  use  Is  granted  by  Computerworld  Inc.  for  libraries  and  other  users 

registered  with  the  Copyright  Clearance  Center  (CCC).  provided  that  the  base  fee  of  $3  per  copy  of  the  article,  plus  50  cents  per  page,  is  paid  directly  to  Copyright  Clearance  Center.  27  Congress  St..  Salem.  Mass.  01970.  Reprints  (minimum  100  copies)  and  _ 

permission  to  reprint  may  be  purchased  from  Renee  Smith.  Computerworld  Reprints,  c/o  Reprint  Management  Services.  Greenfield  Corporate  Center.  1808  Colonial  Village  Lane.  Lancaster.  Pa..  17601.  (717)  399-1900.  Ext.  172.  Fax:  (717)  399-8900.  Web  site:  •bpa  \bm  m 


www.reprintbuyer.com.  E-mail:  reprints@computerworld.com.  Requests  for  missing  issues  will  be  honored  only  if  received  within  60  days  of  issue  date.  Subscription  rates:  $5  per  copy:  U.S.  -  $99.99  per  year;  Canada  -  $130  per  year;  Central  &  So.  America. 
$250  per  year:  Europe  -  $295  per  year;  all  other  countries  -  $295  per  year  Subscriptions  call  toll-free  (888)  559-7327.  POSTMASTER:  Send  Form  3579  (Change  of  Address)  to  Computerworld.  PO  Box  3500.  Northbrook.  III.  60065-3500. 


46 


COMPUTERWORLD  August  30, 2004 


THE  BACK  PAGE 


www.computerworld.com 


FRANK  HAYES  ■  FRANKLY  SPEAKING 


Shred,  Bum,  Erase 


"OW  DO  YOU  DEAL  WITH  the  sensitive  data  on  your 
high-tech  junk?  One  way  is  to  send  your  old  PCs  to  a 
company  that  makes  a  business  of  handling  decom¬ 
missioned  corporate  computers.  These  days,  they’ll 
.  charge  you  an  extra  $10  to  $30  just  to  make  sure  the 
hard  disks  are  completely  erased  [QuickLink  49063]. 

Sure,  that’s  more  than  you  want  to  spend.  But  it’s  a  bargain  com¬ 
pared  with  what  a  lawsuit  might  cost  if  sensitive  customer  informa¬ 
tion  leaks  out  of  your  company  on  the  unerased  hard  disk  of  a  dis¬ 
carded  PC.  It’s  a  small  price  to  pay  for  peace  of  mind. 

But  if  what  you  want  is  peace  of  mind,  it’s  nowhere  near  enough. 


Does  that  sound  a  little  paranoid?  Maybe  it  is. 
But  I’ve  purchased  thrift-store  PCs  and  junk- 
shop  hard  disks.  And  yes,  I’ve  scanned  through 
their  contents  before  repartitioning  the  drives. 
I’ve  seen  personal  letters  and  business  corre¬ 
spondence,  contracts  and  legal  papers,  Social 
Security  numbers  and  other  customer  data.  All 
you  need  is  to  scan  a  few  recycled  hard  disks  to 
gain  a  healthy  paranoia  about  junkers  that  con¬ 
tain  valuable  information.  I’ve  scanned  dozens. 

I’ve  also  seen  the  results  of  projects  by  re¬ 
searchers  such  as  Simson  Garfinkel  at  Sand¬ 
storm  Enterprises,  who  found  high-tech  vendor 
source  code,  financial  information  from  invest¬ 
ment  firms,  thousands  of  credit  card  numbers 
and  even  internal  Microsoft  e-mails  on  second¬ 
hand  hard  disks  he  bought  at  swap  meets  and 
used-computer  stores  and  on  eBay. 

So  my  peace-of-mind  threshold  is  pretty  high 
when  it  comes  to  data  on  high-tech  junk.  Maybe 
yours  should  be,  too. 

After  all,  that  PC  recycler  may  do  a  highly 
professional  job  of  wiping  your  junked  PCs’ 
hard  disks.  But  before  that  happens,  those  PCs 
will  sit  on  your  loading  dock  —  then  on  a  truck, 
then  on  the  recycler’s  loading  dock. 

There  may  be  plenty  of  opportuni¬ 
ties  for  someone  to  walk  off  with 
your  data. 

How  do  you  keep  it  safe  until 
it’s  wiped?  The  simplest  answer: 

Use  a  $50  commercial  software 
package  to  wipe  the  disks  yourself, 
before  they  go  to  your  loading 
dock.  Then  pay  the  PC  recycler’s 
fee  to  have  them  wiped  again.  Sure, 
that’s  a  belt-and-suspenders  ap¬ 
proach,  but  it  cuts  the  risk  of  a 
stolen  junker  exposing  sensitive 
data.  It  also  eliminates  the  single 


point  of  failure  of  one  disk-wiping  session. 

But  that’s  not  the  only  small  price  you’ll  have 
to  pay  to  protect  your  data.  There’s  probably 
data  hiding  on  other  high-tech  junk,  too. 

Backup  tapes  are  easy  enough  to  deal  with. 
You  are  using  a  $100  bulk  eraser  to  wipe  them 
before  you  trash  them,  right? 

You  can  also  use  that  to  handle  many  kinds  of 
recordable  media  that  users  copy  sensitive  data 
with.  That  means  floppy  disks,  Zip  disks  and 
cartridges  for  lots  of  other  removable-media 
magnetic  drives. 

Then  there  are  recordable  CDs  and  DVDs, 
the  bane  of  any  IT  shop  that’s  trying  hard  to 
keep  from  leaking  data.  They’re  high-capacity, 
unerasable,  tough  to  destroy  and  easy  to  drop 
into  the  wastebasket  —  which  makes  them  easy 
pickings  for  anyone  who  decides  to  dig  through 
your  Dumpster. 

How  can  you  get  rid  of  them?  There’s  no 
simple,  standard  answer.  People  have  tried 
microwaving,  burning,  sanding  off  the  surface, 
even  dissolving  them  in  acetone.  The  easiest 
may  be  to  run  the  disks  through  a  heavy-duty 
paper  shredder  —  that  will  run  you  $500  or 
more,  but  your  office  probably 
already  has  one. 

But  before  you  can  shred  those 
CDs  or  erase  those  Zip  disks,  you 
have  to  collect  them  from  users. 
They  may  think  you’re  a  little  para¬ 
noid  for  trying  to  track  down  every 
piece  of  high-tech  junk  that  might 
contain  sensitive  data. 

Just  remember:  All  it  takes  is  one 
large  dollop  of  that  data  in  the  wrong 
hands  to  make  your  worst  fears  a 
reality.  Compared  to  that,  users 
thinking  you’re  paranoid  really  is 
a  small  price  to  pay.  O  49071 


frank  hayes,  Computer- 
worlcf  s  senior  news  colum¬ 
nist.  has  covered  IT  for  more 
than  20  years.  Contact  him  at 

frank.hayes9comput6rworld.com. 


Just  Keeping  His  Options  Open 

For  this  online  sales  form,  there  are  60  pages  of  specs 
identifying  whether  fields  are  required  or  optional.  “But 
during  beta  testing,  the  VP  of  sales  goes  ballistic  be¬ 
cause  we  don’t  let  them  submit  a  quote  without  the 
required  fields,”  says  developer  pilot  fish.  “He  tells  us 
that  the  fields  are  only  required  if  the  user  knows  the 
information  -  otherwise  they’re  optional.”  How  can  IT 
know  if  the  user  knows  the  information?  “He  replies 
that  he’s  just  responsible  for  the  requirements,"  fish 
says.  “It’s  our  job  to  figure  out  how  to  do  it.” 


Just  Ask 
Him,  OK? 

When  this  pilot 
fish  is  laid  off, 
he  tries  to  con¬ 
vince  his  bosses  that  he 
should  brief  the  people 
who  will  do  his  job.  But 
they  insist  that  the  re¬ 
maining  staffers  know 
all  they  need  to  know. 
“Fine,”  says  fish,  “ask 
them  how  to  change  the 
server-room  combina¬ 
tion  lock.”  Turns  out  no 
one  knows.  Then  what 
do  the  bosses  do?  “They 
called  the  building  facili¬ 
ties  group  to  change  the 
combination,”  fish  says. 
“77?ey  couldn't  figure  it 
out.  So  they  spent  $725 
to  have  a  new  lock  in¬ 
stalled  -  all  just  to  avoid 
calling  me  and  asking  a 
simple  question.” 

Just  What  Fits 

State  agency’s  IT 
staffers  do  a  careful  job 
of  spec’ing  out  PCs,  but 
somehow  many  of  the 
computers  arrive  with 
the  wrong  hard-disk  ca¬ 
pacity  and  missing  op¬ 
tions.  What  happened? 
“Seems  the  purchasing 
unit  was  using  a  pur¬ 
chase  order  form  that 
could  not  hold  the  PC’s 
entire  specification,  and 
there  was  no  continua¬ 
tion  sheet,”  sighs  pilot 
fish.  “We  only  got  what 
would  fit  on  the  form!” 


SHARK 

TANK* 


Just  Like 
No  Laptop 
At  All 

College  regis¬ 
trar’s  office 
asks  IT  for  laptops  to 
use  for  the  big  class- 
registration  day  at  the 
campus  center.  Why  lap¬ 
tops?  “For  the  conve¬ 
nience,”  an  IT  pilot  fish 
reports.  How  convenient 
are  they?  “About  an  hour 
into  it,  the  users  decided 
they  needed  keyboards,” 
he  says.  “Another  half- 
hour  later,  they  needed 
mice.  By  the  end  of  the 
day,  they  were  com¬ 
plaining  that  the  screen 
was  too  small,  so  a  17- 
in.  LCD  was  placed  at 
each  workstation.” 

Just  in  Time 

For  weeks,  this  IT  pilot 
fish  has  been  trying  to 
resolve  a  critical  issue 
after  installing  a  big 
software  vendor’s  flag¬ 
ship  product.  When  he 
finally  gets  to  the  ven¬ 
dor’s  highest  tech-sup- 
port  level,  a  programmer 
calls  to  tell  fish  that  the 
problem  was  fixed  in  the 
most  recent  patch  -  it’s 
fish's  fault  for  not  being 
up  to  date.  Fish  knows 
that’s  not  the  case,  but 
he  checks  the  vendor’s 
site  anyway.  “Sure 
enough,”  he  says,  “a 
new  patch  had  been 
added  -  that  morning.” 


060 AHEAD  -  MAKE  MY  MORNING.  Send  me  your 
true  tale  of  IT  life  at  sharky@computerworld.com.  If 
I  use  it,  you’ll  score  a  sharp  Shark  shirt.  And  check  out  the 
daily  feed,  browse  the  Sharkives  and  sign  up  for  Shark  Tank 
home  delivery  at  compu1erworld.com/sharky. 


They  multifunction,  multitask  and  multi-simplify. 


HP  multifunctional  products  can  make  you  more  productive— our  free  MFP  strategy  guide  shows  you  how.  Each  of  these  workhorses  can  do  the  job 
of  three  machines— printer,  copier,  scanner— in  one.  Some  fax  too.  Using  HP's  Digital  Sending  Software  (optional  on  the  HP  LaserJet  9055mfp  and  HP 
LaserJet  9065mfp),  you  can  scan  and  send  directly  to  e-mail  or  network  folders,  depending  on  the  model.  Choose  from  a  wide  range  of  devices  to 
find  the  one  that  fits  your  organization,  whether  you're  a  small  office  or  large  department.  By  actively  managing  your  overall  fleet,  you  could  save  up  to 
30%  on  overall  operating  costs  as  well  as  save  time  on  maintenance  and  supplies  management.  With  our  MFPs,  you  get  more  than  a  printer  or  copier. 
And  with  HP  and  our  authorized  dealers,  you  get  more  than  hardware— you  get  service,  support  and  expert  advice.  How's  that  for  multifunctional? 


HP  LASERJET 
4100mfp/4101mfp 

Fully  integrated  printing  and  copying  solution 
for  small  workgroups 


•  Up  to  25  ppm  print/copy  speed  (black) 

•  Print,  copy,  color  scan,  digital  send  and  fax 
(optional  with  4100) 

•  1,600  sheet  maximum  input  capacity 


HP  LASERJET 

9000mfp/9000Lmfp 

High-performance,  versatile  printing  and 
copying  for  large  workgroups 


Up  to  50  ppm/40  ppm  print/copy  speed 
(black) 

Print,  copy,  color  scan,  digital  send  and 
optional  faxing 

Up  to  11"  x  17"  media  capable,  optional 
finishing  includes  multi-position  stapling  and 
saddle-stitch  booklet  production 


HP  LASERJET 
9055mfp/9065mfp 

High-volume,  high-performance  copying 
and  printing  for  large  departments 


Up  to  55  ppm/65  ppm  print/copy  speed 
(black) 

Copy,  print,  scan,  standard  duplex  and 
optional  digital  send 

Optional  4,000-sheet  input  tray,  three-hole 
punch  and  cover  inserter 
Up  to  12"  x  18"  media  capable 


Mail-in  rebates  available  on 
these  two  models.* * 

Rebates  not  available  in  the  state  of  Connecticut. 


FREE  Digital  Sending  Software 
(HP  DSS  3.0  Workflow) 


1 


A  free  MFP  strategy  guide 

and  information  on  current 
offers  are  yours  for  the  asking. 


CALL 


800-888-3127 


CLICK 


hp.com/go/mfppromotions 


n  v  e  n  t 


VISIT 


your  local  HP  reseller 


■Rebate  otters  good  on  HP  9000mfp/HP  9000Lmfp  purchases  made  between  5/1/04  and  10/31/04.  Rebates  are  subject  to  change;  check  the  HP  Web  site  at  www.hp.com/go/hotdeals  for  most  current  rebate  offers  and/or  additional  rebate  offers.  ©2004  Hewlett-Packard  Development  Company,  L.P 


With  SAS®  software’s  new  Intelligence  Platform,  you  can... 


INTELLIGENT  STORAGE 

ETL  PROCESS 

DATA  QUALITY 

BUSINESS  INTELLIGENCE 

ANALYTIC  INTELLIGENCE 


SAS  introduces  a  software  breakthrough  for  sharing  mission-critical  intelligence,  in  just  the  right 
context,  with  everyone  from  executives  to  knowledge  workers.  And  for  increasing  the  value  of  your 
IT  investment  every  step  of  the  way -from  aggregating  and  ensuring  the  quality  of  data,  from  any 
source,  to  transforming  that  data  into  predictive  insight  using  the  world’s  best  analytics.  Can  one 
intelligence  platform  truly  fit  all  your  needs,  within  IT  and  across  your  enterprise?  Let  us  prove  it. 
Call  toll  free  1  866  791  3183  or  visit  our  Web  site. 

www.sas.com/itbreakthrough 


The  Power  to  Know. 


SAS  and  all  other  SAS  Institute  Inc  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  n  the  USA  and  other  countries.  ®  indicates  USA  registration. 
Other  brand  and  product  names  are  trademarks  of  their  respective  companies  ©  2004  SAS  Institute  Inc.  All  rights  reserved  280423US.0404 


